RV042 - Priority Routing HTTP Traffic Over WAN2?
Hi,
I have an RV042 set to load balancing. WAN1 is a T1 and WAN2 is an ADSL connection. It seems that more often than not web traffic is going out over the slower WAN1, so I'd like to try to route http traffic over the ADSL before the T1 due to the higher download speed.
Is there a way to do this?
Thanks!
blasty,
Yes it is possible. It is called protocol binding, and the configuration steps for this can be found on page 23 of this guide:
http://www.cisco.com/en/US/docs/routers/csbr/rv042/admin/guide/RV042_V10_UG_C-WEB.pdf
If you have any problems please post them in as much detail as possible.
Bill
Similar Messages
-
How can I route internet traffic over IPSec point to point?
I have a remote site that connects by IPSEC with the end points on a router and ASA. The connection is working fine and the remote site can access my other networks at the main headquarters. The problem is, currently this remote site is accessing the internet via the same link that is supposed to VPN everything back to headquarters. I need to figure out how to VPN their internet traffic to my main headquarters. There's an IPrism behind the firewall to filter web access so it seems like I need to point the remote sites default gateway to my routing device that's behind my Iprism?
Also, currently the outside interface on the remote site's router does not have an ACL applied, can someone suggest what that ACl should look like? Thank you for your help! Here is a sample configuration of the remote site's router:
crypto isakmp policy 20
(encryption parameters here)
crypto isakmp key password address x.x.x.x (Public ASA IP) no-xauth
crypto ipsec transform-set remotesite (encryption parameters here)
crypto ipsec df-bit clear
crypto map Mainsite 1 ipsec-isakmp
set peer x.x.x.x (Public ASA IP)
set transform-set remotesite
match address 100
interface FastEthernet0/0
description $ETH-LAN$
ip address 10.1.1.1 255.255.0.0
ip nbar protocol-discovery
interface FastEthernet0/1
description ISP Interface
ip address x.x.x.x (public IP) 255.255.255.0
crypto map Mainsite
crypto ipsec df-bit clear
ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP's default gateway)
access-list 100 remark Access list Mainsite Access
access-list 100 permit ip 10.1.0.0 0.0.255.255 10.3.0.0 0.0.255.255
and other various headquarter networks...Hi Mark, you can modify your crypto acl to permit any any on your remote site which will make all traffic goes through the tunnel. Then on ASA you need to do hairpinning on the outside interface. This will make users on remote site to access internet via HQ. But if you do it this way the internet traffic goes straight to internet without having them filtered by your iPrism.
What I am not sure about is if there is a way to do it if you want those traffics to be filtered by the iPrism before going out to internet.
HTH -
Best way to pass IPv4 and IPv6 traffic over a GRE Tunnel
Hello,
We have two 3825 routers with Advanced Enterprise IOS 12.4.9(T). Each of them serves many IPv4 (private and public) and IPv6 networks on their respective site.
We have created a wireless link between the two, using 4 wireless devices, with IP Addresses 10.10.2.2, 3, 4, 5 respectively (1 and 6 are the two end Ethernet interfaces on the routers).
Then we created a GRE tunnel over this link using addresses 172.16.1.1 and 2 (for the two ends) to route traffic over this link.
Now we want to route IPv6 traffic over the same link. However, we found that simply routing the IPv6 traffic over the above GRE / IP tunnel did not work.
Questions:
Is there a way we can use the same (GRE / IP) tunnel to transport both IPv4 and IPv6 traffic?
If not, can we setup two GRE tunnels over the same wireless link, that is, one GRE / IP for IPv4 traffic and a second one GRE / IPv6 for IPv6 traffic?
In brief, what is the suggested way to transport IPv4 and IPv6 traffic over the aforementioned (wireless) link?
I have read http://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1061361 and other Internet material, however I am still confused.
Please help.
Thanks in advance,
NickWe have set up two tunnels over the same link, one GRE / IP for the IPv4 traffic and one IPv6 / IP ("manual") for the IPv6 traffic. This setup seems to be working OK.
If there are other suggestions, please advise.
Thanks,
Nick -
We are using two RV042s at site with a remote office, and each has a normal internet connection on WAN1. The remote site also has a dedicated wireless link to the Main site so those users can access the server, but the RV042 is routing normal outbound traffic over BOTH WANs instead of just WAN1 (Load Balance).
How does one set WAN1 as the prinary outbound link? Dual Wan only has "Load Balance" and "Smart Link", .. and there appears to be no way to set the route priority.
Thanks1
LeeL.V,
Use Protocol Binding to bind outbound traffic to one WAN port or the other. As an example you can bind all http traffic to WAN 1 so anyone browsing the web will connect over that WAN port only. If WAN 1 goes down, then the traffic will route to WAN 2.
- Marty -
Encapsulate ODBC traffice over HTTP???
Does anyone know if it's possible to have an external client (in the internet) make an ODBC connection to a database that is behind a firewall which only allows HTTP traffic to pass through? I guess the question is, Is is possible to encapsulate ODBC traffic over the HTTP protocol so that it can pass through the firewall?
Thanks in advance,
John SebastianProbably not easily, no.
If the firewall allows arbitrary traffic on port 80, you could configure the Oracle database to accept connections on that port and configure the tnsnames.ora on the client machine to use port 80. This wouldn't go through HTTP, so if the firewall is actually analyzing the traffic, you'd be out of luck, but it would work if the port is wide open. Of course, it is a terrible idea from a security perspective-- opening up databases to connections over the internet is a recipe for pain and suffering.
It is certainly possible to write an ODBC to HTTP proxy that converts an ODBC call into some sort of web service call and then write an HTTP to ODBC proxy that lives inside the firewall that translates the HTTP calls back into ODBC calls, but that is likely to be very slow. And a lot of code-- I'm not aware of any commercial utilities that do that sort of thing.
Generally, the proper way to do something like this is to use Oracle Connection Manager (or something similar that is baked in to certain firewall products) to proxy the Oracle connection through the firewall. But that requires changing the firewall setup and/or installing additional software.
Justin -
Cisco RV042 Firewall Blocking LAN Traffic
Hello Everyone,
I currently have an RV042G with a downstream SG-300 connected to one of the LAN interfaces. Connected to the SG-300 are a couple servers running ESXi. Intervlan routing is working fine on the current setup; however, I only able to connect to my ESXi hosts on a separate VLAN for approximately a minute before the connection is dropped. I have concluded that the firewall seems to be culprit in blocking my traffic. If I turn the firewall off, everything acts as expected. There is a default "ANY/ANY" rule for LAN traffic enabled and I have added a couple extras allowing all traffic for IP ranges, but I still seem to be losing my connections. To make matters more confusing, I can see ACCESS_RULE events in the firewall logs permitting the traffic (or so I'm interpretting).
Regardless, here's how my rules currently stand below. I put another ANY/ANY rule in because the default didn't seem to be working -- I immediately was able to ping other hosts on different VLANs after adding the rule. I was under the assumption allowing all traffic from any source to any destination would make the LAN pretty accessible. I would appreciate any guidance or resources on this topic to set up some quick firewall rules to get things up and running. Thanks in advance.
Priority
Enable
Action
Service
Source
Interface
Source
Destination
Time
Day
Delete
123
Allow
All Traffic [1]
LAN
10.10.21.1 ~ 10.10.21.31
10.10.10.10 ~ 10.10.10.10
Always
123
Allow
All Traffic [1]
LAN
10.10.10.10 ~ 10.10.10.10
10.10.21.1 ~ 10.10.21.31
Always
123
Allow
All Traffic [1]
LAN
Any
Any
Always
Allow
All Traffic [1]
LAN
Any
Any
Always
Deny
All Traffic [1]
WAN1
Any
Any
Always
Deny
All Traffic [1]
WAN2
Any
Any
AlwaysI guess I should clarify, the SG-300 is running in Layer 3 mode, and the VLANs are defined on it; however, the static routes are defined on the RV042. Maybe there's a more efficient way of doing this?
Below is a scrubbed copy of my switch configuration.
config-file-header
SWITCH01
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
vlan database
vlan 2
exit
no bonjour enable
hostname SWITCH01
no logging console
ip ssh server
ip ssh password-auth
clock timezone CEST +1
interface vlan 1
ip address 10.10.10.2 255.255.255.0
no ip address dhcp
interface vlan 2
name VIRTUAL-MANAGEMENT
ip address 10.10.21.1 255.255.255.224
interface gigabitethernet1
description ESXI01:VMNIC0:MGMT
switchport trunk allowed vlan add 2
interface gigabitethernet20
description UPLINK
exit
ip route 0.0.0.0 /0 10.10.10.1 metric 15
The routes I have defined is:
Destination IP
Subnet Mask
Default Gateway
Hop Count
Interface
10.10.21.0
255.255.255.224
10.10.10.2
1
eth0
10.10.10.0
255.255.255.0
0
eth0
255.255.252.0
0
eth1
239.0.0.0
255.0.0.0
0
eth0
default
0.0.0.0
40
eth1
Just to reiterate the problem, I am able to connect to hosts on VLAN 2 from my computer on VLAN 1, but I am disconnected a minute or so later. When the firewall is disabled, I have no issues with connecting to the host across VLANs and maintaining that connection. Maybe I have a misconfiguration somewhere that is causing some issues? I appreciate the help. -
I am currently using RV042 in the two-WAN backup mode. However, I tried the redundant option and am finding it to give me more bandwidth and better performance than only one of the WANs.
My problem is that in the redundant mode, I am unable to use a few websites that I use on a regular basis. One of the sites is our internet hosted time sheet service and their site just goes crazy when I try to access it through the router set up in redundant mode. I am not even able to login to their site, and it is important for my daily work.
My question is - can I set up static routes for certain sites so that the router knows to access them through only one of my WANs? For example, if my timesheet software site is 123.123.123.123, and my prefered WAN gateway is 68.68.68.68, can I tell the router to only access this site through the given gateway, even if the router is configured to use either WAN?
I have tried static routes and it does not seem to work at all.
For example:
Site: 123.123.123.123
SM: 255.255.255.0
Gateway 68.68.68.68
When I save this and run the tracert to 123.123.123.123, it goes through the other gateway, and not the one I specified here.
Any hints are appreciated.
Thanks,
Alex P.If your using this in load balance mode, go to system management and scroll down to protocol binding. Chances are your going to a secure site with both wans working and the site sees one connection with two ip addresses coming at it and breaks the connection. You can do a protocol bind for all your https traffic to go out one wan for all the ip addresses in your network and this should fix the issue. You can do this for mail and other protocols that would get messed up by the dual wan. Hope this helps.
-
RV042 - Cant route additional internal Subnets to Internet
HI,
ive got a problem, which from what im reading, is not an islolated one.
Currently we have 1 RV042 which provides Internet Traffic for 192.168.16.x/24, in addition to this I also have a test environment sitting in VMware that exists on 192.168.0.x/24. Due to the nature of the test environment, and to ensure that no DHCP traffic (amongst others) leaves the test environment, I have a Linux router which routes between 192.168.0.x/24 and 192.168.16.x/24. For those that understand VMware, the test vSwitch does not have any uplinks, all traffic in and out of the test environment must go through the Linux Router.
I have a additional route specificed in the RV042 for the 192.168.0.x subnet using the Linux router as the G/w.
All machines in the test environment can ping/route/connect to machines in the production network, and vice versa (RV042 inc).
All machines in the Prod environment can access the Internet through the RV042 (both on the 192.168.16.x subnet).
The machines in the Test environment cannot access the Internet through the RV042, however they can ping the internal (192.168.16.x) interface of the RV042.
Ive investigated using the Multi-Subnet feature of the RV042 and also homing it on the 192.168.0.x subnet, however this will not work as the 192.168.0.x machines cannot access the physical network without going through the Linux Router and terminating on the 192.168.16.x subnet.
See Diagram below for clearer idea. Keep in mind that Multi-home the RV042 on the 192.168.0.x network is not an option!!!
(FOR A FULL SIZE VERSION OF THE DIAGRAM CLICK --> http://www.excelerate.com.au/downloads/rv042.jpgHI,ive got a problem, which from what im reading, is not an islolated one.Currently
we have 1 RV042 which provides Internet Traffic for 192.168.16.x/24, in
addition to this I also have a test environment sitting in VMware that
exists on 192.168.0.x/24. Due to the nature of the test environment,
and to ensure that no DHCP traffic (amongst others) leaves the test
environment, I have a Linux router which routes between 192.168.0.x/24
and 192.168.16.x/24. For those that understand VMware, the test vSwitch
does not have any uplinks, all traffic in and out of the test
environment must go through the Linux Router.I have a additional route specificed in the RV042 for the 192.168.0.x subnet using the Linux router as the G/w.All machines in the test environment can ping/route/connect to machines in the production network, and vice versa (RV042 inc).All machines in the Prod environment can access the Internet through the RV042 (both on the 192.168.16.x subnet).The
machines in the Test environment cannot access the Internet through the
RV042, however they can ping the internal (192.168.16.x) interface of
the RV042.Ive
investigated using the Multi-Subnet feature of the RV042 and also
homing it on the 192.168.0.x subnet, however this will not work as the
192.168.0.x machines cannot access the physical network without going
through the Linux Router and terminating on the 192.168.16.x subnet.See Diagram below for clearer idea. Keep in mind that Multi-home the RV042 on the 192.168.0.x network is not an option!!!
Hi,
As per the above conclusion it is clear thattraffic behind the linux router is not getting natted and unable to use the internet,try configuring linux router for ip table.
http://www.karlrupp.net/en/computer/nat_tutorial
Hope to Help !!
Ganesh.H
Remember to rate the helpful post -
Intercepting all http traffic and forwarding to VIP on CSM?
We would like to intercept all http traffic from clients from all vlans and redirect them to a VIP on the CSM for loadbalancing to 2 proxy servers. Is this possible? I can't seem to find a solution similar to our issue? Please help thanks!
Thx Giles! Do you mean a policy that uses route-maps with next-hop? So would I point the next-hop address to the CSM client vlan IP? Do you have a support link that covers this in detail? Thx!
-
SG300 Redirect HTTP Traffic to Proxy
Dear Cisco Community,
We have the following setup
1 x SG300 Switch in Layer 3 Mode
VLAN 100 (Management VLAN)
VLAN 200 (Data VLAN for Internet Users)
The SG300 has an IP4 Interface in each VLAN:
100: 10.1.1.254 / 24
200: 10.1.2.254 / 24
The internet gateway (Zyxel USG-100) is located in VLAN 100.
In order to restrict the web browsing acitivites, we're in the process of implementing a Proxy server (GFI Webmonitor). Is it possible, to redirect all HTTP and HTTPS traffic which arrives at the SG300's VLAN200 IP interface to the proxy server? I was thinking of a static route, but then this would apply to all traffic. Another option would be to block port 80/443 traffic using an ACL I suppose=
Any input will be highly appreciated, thank you!
Kind regards,
RomeoHi Mohamad,
I've seen this done in slightly different ways. One way is at the very bottom of the following examples from the Cisco.com CSM-S config guide:
CSM-S Configuration Examples
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/cfgxpls.html
Another way is like this:
serverfarm REDIRECT
nat server
no nat client
redirect-vserver REDIRECT
webhost relocation https://www.example.com/
inservice
serverfarm SSL_DC
no nat server
no nat client
real 192.168.78.36 local
inservice
vserver VSERVER_80
virtual 192.168.78.35 tcp 80
serverfarm REDIRECT
persistent rebalance
inservice
vserver VSERVER_443
virtual 192.168.78.35 tcp 443
serverfarm SSL_DC
persistent rebalance
inservice
Hope this helps get you started.
Sean -
Muliticast Traffic Over ATM Link
Hi,
I have a ATM link (45Mb/s) between 2 location . In one of my locations I multicast 4 diffrent Video traffic. But my 4 multicast traffic is going to the source router by 1 Fastethernet port and after that it's going to destionation over the ATM link. now I have a issue on destionation . I need to seperate 4 multicast traffic on the destionation router . it has to be 1 on of my multicast traffic going through VLAN 123 and other 3 multicast traffics going through VLAN 200.
now all of the multicast traffic is going trough vlan 123.
any body can help me on this issue?
thanks
MikeHey Stephan,
The 'vpc bind-vrf' command allocates a special internal VLAN for routing traffic over the vPC peer-link to ensure L3 connections on the vPC peer or orphan ports successfully receive multicast traffic on N5k/N6k platforms. This workaround is not needed on the N7K because that platform implements the vPC loop prevention rule differently in hardware.
In short, 'vpc bind-vrf' is not required on N7K.
-Andy -
Ironport not forwarding HTTPS traffic
We have recently been trying to setup a BYOD wireless network and the wireless Clients that join this network have their traffic routed directly to an Ironport S370 (Ver7.1.4-053) as we do not want the BYOD users to have to configure their proxy settings.
We have created an Identity which matches the Subnet given to BYOD devices with no authentication and then an Access Policy for filtering, all this works as long as the traffic is HTTP, as soon as you try to access anything using HTTPS then the Ironport seems to drop the traffic as it never hits the firewall and the page cannot be displayed.
Any domained clients which have the Ironport address as their proxy work fine.
The Ironport is not set to bypass any addresses in bypass settings.
I am sure there must be a simple answer as to why HTTPS traffic is not being forwarded and any pointers as to why this is would be gretly appreciated.
Many thanks,
Neil.Hi Igor and Neil,
As per AsyncOS 7.5 documentation, HTTPS proxy needs to be enabled to process HTTPS traffic in transparent mode.
following is the extract from the doco.
" When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it drops transparently redirected HTTPS requests. The access logs contain the CONNECT requests for explicit HTTPS connections, but no entries exist for dropped transparently redirected HTTPS requests "
If you do not want to decrypt HTTPS traffic, you can enable HTTPS proxy in pass-through mode.
Thanks,
Wipula. -
Transporting QinQ traffic over L2 EoMPLS circuit
Hello,
Suppose that we have QinQ traffic that reaches a GigabitEthernet interface of a GSR. (The second VLAN tag has been previously imposed at a dot1q-tunnel interface of some edge switch. Traffic that reaches the GSR has 2 VLAN tags.) We want to deliver this traffic (over an MPLS backbone) to the GigabitEthernet interface of another GSR. What configuration options are there ? Would a configuration like the following (symmetrically configured at both GigabitEthernet interfaces) work and why ?
interface GigabitEthernet s1/s2/s3.x
encapsulation dot1Q x
xconnect <peer-router-id> <vc-id> encapsulation mpls
(x above is supposed to play the role of the outermost/service VLAN tag)
I am wondering whether the command encapsulation dot1q second-dot1q is actually needed or not.
Any answers or documentation or related standards/drafts will be appreciated.
Kind Regards,
MariaHI Maria, [Pls RATE if HELPS]
I have implemented a Scenario as below:
Base Station - A
=================
Metro Edge Switch Config:
int Gi 0/46
switchport access vlan 402 >> OuterVLAN in QnQ
switchport mode dot1q-tunnel
description X-Connect to BaseStation-LAN
Base Satation LAN Switch Config:
int GI 0/45
description X-connection to Metro Edge
switchport trunk encapsulation dot1q
switchport mode trunk
Bast Station - B
=================
Metro Edge Switch Config:
int GI 0/46
switchport access vlan 401 >> OuterVlan in QnQ
switchport mode dot1q-tunnel
description X-connect to Bast Station LAN
Base Station LAN Switch Config:
int GI 0/45
description X-Connect to Metro Edge
switchport trunk encapsulation dot1q
switchport mode trunk
NOC:
====
Metro Head end Switch Config:
int GI 0/45
description to X-Connect to Provider Edge
switchport mode dot1q-tunnel
switchport mode trunk
Provider Edge Router Config:
int Gi 0/1.402100
encapsulation dot1q 402 second-dot1q 100
!! 402 is the OuterVLAN and 100 is Customer VLAN
ip address 10.100.0.101 255.255.255.252
description Customer Bast Station - A
int Gi 0/1.401100
encapsulation dot1q 401 second-dot1q 100
!! 401 is the OuterVLAN and 100 is Customer VLAN
ip address 10.100.0.101 255.255.255.252
description Customer Bast Station - B
In the above Config the QnQ is enabled in the Metro Edge & provider edge routers encapsulation function will be carried out by the edge metro switches and PE Routers. By this way the VLAN's are duplicated are in Metro network itself also making the VLAN allocation locally.
Hope I am Informative.
PLS RATE if HELPS
Best Regards,
Guru Prasad R -
Can OS X Server 10.6 reverse proxy be setup to route port traffic 5003 (FileMaker Server) to 2 seperate servers (FM 11 and FM 12)?
In your scenario, how is the 'OS X 10.6 Server' supposed to identify which FM machine to proxy the connection to?
The FM client uses a proprietary protocol, so it's not something simple like HTTP. Off hand I don't know of any way the server can accept arbitrary connections on port 5003 and know which FM server to relay it to.
Two options come to mind. One is to nix the OS 10.6 Server altogether - I don't understand this machine's purpose in your network - the second is to setup different ports on the OS X 10.6 Server machine and map each port to a different FM server, e.g. 5003 -> FM11, 5004 -> FM12, then you configure the remote client to connect to a different port number based on the server they want to connect to. I haven't used FM client in a long time to know if this is supported on the client side, but I'm guessing it is.
Either way, using a proprietary protocol, there's no way for the proxy machine to be able to filter the traffic on any given ports. -
Vpc bind-vrf on Nexus 7000/N7k to ensure forwarding of multicast traffic over peer-link?
In previous vPC setups with N5k (or also N6k), I had to use the 'vpc bind-vrf' command to ensure the forwarding of multicast over the vpc peer-link, especially for receivers in in non-vPC VLANs and the receivers connected to Layer 3 interfaces.
I am wondering why this command isn't available on N7k? Isn't this necessary on this platform or is it just not yet implemented?
Any hint is welcome!
Stephan StrackHey Stephan,
The 'vpc bind-vrf' command allocates a special internal VLAN for routing traffic over the vPC peer-link to ensure L3 connections on the vPC peer or orphan ports successfully receive multicast traffic on N5k/N6k platforms. This workaround is not needed on the N7K because that platform implements the vPC loop prevention rule differently in hardware.
In short, 'vpc bind-vrf' is not required on N7K.
-Andy
Maybe you are looking for
-
How can i restore facebook app on iphone4s?
I accidentally deleted facebook app, my phone is still ios 6.0. I tried to download facebook app from app store but after installing it, its not working? Do i need to upgrade my phone to ios 6.1 so the facebook app will work? Please help me with this
-
Hi, I want to add some space before and after the table cell content. I am using setIntercellSpacing() method to achieve that and I could get the required functionality. But its adding space in the Table Header also which looks odd. Is there any way
-
Issue on space . Disk space increases and decreases automatically
Hi All, In our QA environment for past 2 days we are facing issue on space . some unusual behaviour. Taken threaddumps at that time and found the issue "172.30.104.53 [1373723166026] <closed>" daemon prio=3 tid=0x0000000101dca800 nid=0x135f in Object
-
Photoshop cs5 and cs4, photoshop help...f1 why online
Hi i have installed on w7 photoshop cs5 and photoshop cs4 well when i try to read the manual (the help files) clicking F1 or under the menu Help-> Photoshop Help F1 ,photoshop cs5 and cs4 connect to the net for example cs4 opens a firefox page with t
-
Pacman error:No address record
Recently when I executed: pacman Syu there were errors like: error: failed retrieving file 'current.db.tar.gz' from ftp.linux.kiev.ua : No address record error: failed retrieving file 'current.db.tar.gz' from mirror.pacific.net.au : No address record