Setting advertisement / split horizon direction in EIGRP routing
Hello all,
I am trying to work out if I am being a bit rubbish or if split horizon is my new worst enemy.
Below is a diagram of my (simplified) problem scenario using EIGRP.
The solution I am looking for is that Router R3 learns of the 10.0.0.0/8 network from both R1 and R2, then does not advertise it to either. Simple with split horizon enabled.
But when either R1 or R2 are rebooted, a decision somehow takes place, and may well determine that R3 should advertise 10/8 to the new (rebooted) neighbour, at which point split horizon prevents it from being advertised back again. This means the topology table on R3 doesn't contain this route for this neighbour and is slow to converge if the other neighbour is lost.
Is there a way to control in which direction routes are advertised first on a neighbour link? and then I can let split horizon do its thing
Or is there something I am not thinking of...
many thanks,
Paul
This is what i think would work.
Two assuptions i'm making -
1) R1 and R2 have full routes in terms of the remote branch subnets which from what we have talked about seems to be the case.
2) R1 will advertise the specific subnets it is primary for (see below) to R3 which then advertises them to R2 and R2 will do the same for it's primary subnets.
R1 is primary for 32 - 63 summary address 192.168.32.0 255.255.224.0
R2 is primary for 64 - 95 summary address 192.168.64.0 255.255.224.0
Each router is secondary for the other router's primary subnets.
on R1 configure a summary address for R2's subnets on the interface connecting to R3 -
ip summary-address eigrp <AS no> 192.168.64.0 255.255.224.0
on R2 do the same for R1's subnets -
ip summary-address eigrp <AS no> 192.168.32.0 255.255.224.0
So now -
R1 points to R3 and R3 points to R2 for 192.168.32.0/19
R2 points to R3 and R3 points to R1 for 192.168.64.0/19
Because you have used a summary address this suppresses the advertisement of the more specific routes within that summary range.
R1 will therefore advertises it's specific subnets for which it is primary to R3 and a summary address only for R2's subnets.
And R2 does the same ie. it advertises it's specific subnets and a summary for R1's.
R3 then obviously passes these summaries via EIGRP to R1 and R2.
R3's routing table will have specific branch routes pointing to the respective
primary router but only a summary route for the same subnets pointing to the secondary router.
Because a router will always pick the longest match it will use the more specific subnets unless there isn't a matching route.
Which means no need to use metrics to load balance traffic.
In addition the summary route is already in the routing table so no need for either R1 or R2 to send a query to R3 if one of their branch links fail.
I may well have overlooked something so let me know whether you think this will work for you or not.
Jon
Similar Messages
-
Setting Up DNS - Making Sure I'm Not Running Split Horizon
Hello everyone - I'm wanting to make sure I am running my DNS correctly and that it isn't split horizon.
I purchased a domain name (johnsonsfromtyler.com). I have public "@" and "mail" A host names pointing to my public IP address, have a MX for johnsonsfromtyler.com pointing to mail.johnsonsfromtyler.com, and have a reverse lookup setup all via public DNS.
On my SLS running the private DNS I have the primary zone name set as johnsonsfromtyler.com. For the nameserver I have the zone johnsonsfromtyler.com. pointing to server.johnsonsfromtyler.com which has a static IP of 10.0.1.10. I also have a mail exchanger hostname of mail.johnsonsfromtyler.com with a priority of 10. I also have an alias for mail.johnsonsfromtyler.com pointed to server.johnsonsfromtyler.com. I also have forwarder IP addresses pointing to the OpenDNS servers.
I have my router setup to use the private DNS server located at 10.0.1.10 and the search domain as johnsonsfromtyler.com. server.johnsonsfromtyler.com is running DNS and all other server services.
So am I running DNS correctly and is this setup a split horizon setup? Also, do I need to have forwarder IP addresses pointing to external DNS servers?As Mr Hoffman writes if your "reuse" a public IP domain name in an internal private IP only LAN DNS your are using a "split horizon" DNS (where did that "designation" come from?).
To reach pubic IP servers using the same domain name from your LAN using only the internal DNS, you need to put also the pubic IP servers in your internal DNS with their public IPs. The reverse zone for any "remote" public IPs that Server Admin creates should be removed to let the DNS responsible for that zone answer those lookups - probably not too important for most configurations though.
BIND views can be used to give answers to lookups depending on where (what IP) the query comes from. The same DNS could be setup with different views where public and private IPs are in separate views so that private name -> IP lookups only gets answered when the query comes from the private IP LAN. If you can have a different response (IP) for the same name -> IP lookup? - probably(?) - if the private IP view is listed before the public one in the DNS config.
And I think a DNS is always caching lookups (?) not depending on if forwarders is used or not. Forwarders can speed up lookups but can also make trouble if they stop working/starting refusing answering recursive lookup queries. Without forwarders the DNS has to go "the long way" via root DNS servers (you should update /var/named/named.ca regularly especially if not using forwarders). -
EIGRP Routing across MPLS Cloud
I appologize if this has been covered but I dont see any exact hits...
We are working with our Service Provider to implement MPLS between our remote sites and main campus. We are currently using PtoP T1 in a hub and spoke model. We are running EIGRP in our entire environment.
We would like to continue to run EIGRP in our environment but the SP does not support this protocol through the cloud. I would prefer not to introduce any new routing protocols into our environment such as BGP. (I believe SP is running BGP).
I have read snippits that I can us e GRE tunnel between sites and send EIGRP routing updates via this tunnel.
Can anyone support this method or are there better alternatives? If I implement GRE, I will still need to configure static routes so GRE knows how to reach the remote sites. I also cannot find any literature on how to configure GRE tunnels and use them ONLY for routing updates. I would think sending all traffic via GRE would cause additional overhead.
I will also have a need to send Multicast traffic between sites. I have read that GRE is the way to do this. To me it seems GRE will serve dual purposes.. first to allowing Dynamic routing updates between sites and also to allow Multicast traffic.
I appreciate any comments or suggestions!Hello Phil,
using GRE tunnels to build an overlay would deny one of the greatest benefits of MPLS L3 VPN: the peer model where each CE talks only with local PE node.
unless you have a small number of sites this approach is not recommended.
What if a new site is added in the future? you would need to configure a tunnel GRE to the new site in each of the existing sites.
You could run a DMVPN ( that is to use mGRE) to solve this but it has some complexity.
You can run BGP without using mutual redistribution: BGP allows to advertise internal networks using the network command even if they are not directly connected to the CE router but learned via EIGRP.
So it is enough to redistribute only BGP into EIGRP by setting a default seed metric (it requires five values in EIGRP and it is necessary or redistribution will not occur)
router bgp 65001
neigh PE-address remote-as SP-AS-number
network 10.10.10.0 mask 255.255.255.0
network 10.10.20.0 mask 255.255.254.0
no auto-summary
! note:if auto-summary is disabled you need to provide the exact mask / prefix length
router eigrp 100
redistribute bgp 65001
default-metric 10000 1000 255 1 1500
! BW delay reliabilty load MTU
Hope to help
Giuseppe -
BGP allowas-in and split horizon problem.
Hi,
I need some help. I can't understand why R2 advertises back the same networks to the neighbor from that received.
My topology is:
R1 is in AS1, R2 is in AS2 and R3 is in AS3, I've eBGP R1-R2, and eBGP R2-R3.
R1 and R3 has configured allowas-in to permit routes with their own AS.
The problem is with eBGP Updates. The router R1 advertise 1.1.1.1/32 to R2, and R2 sent back to R1 the same route 1.1.1.1/32.
I think that should not happen according the BGP split horizon rules. R2 should not advertise those networks who learned from R1, unless R2 has a route with better metric.
The same behavior happens between R2 and R3.
Thanks in advance.
All the router had the same IOS: c7200-is-mz.123-14.T1.bin
R1 Configuration
R1#sh run | sec router
router bgp 1
no synchronization
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
neighbor 172.28.1.1 remote-as 2
neighbor 172.28.1.1 allowas-in 10
neighbor 172.28.1.1 soft-reconfiguration inbound
no auto-summary
R1#
R2 Configuration
router bgp 2
no synchronization
bgp log-neighbor-changes
neighbor 172.28.1.2 remote-as 1
neighbor 172.28.1.2 soft-reconfiguration inbound
neighbor 172.28.2.2 remote-as 3
neighbor 172.28.2.2 soft-reconfiguration inbound
no auto-summary
R2#
R3 Configuration
router eigrp 200
redistribute connected
redistribute bgp 3 metric 100000 10 255 100 1500
network 192.168.3.0 0.0.0.3
no auto-summary
router bgp 3
no synchronization
bgp log-neighbor-changes
redistribute connected
redistribute eigrp 200
neighbor 172.28.2.1 remote-as 2
neighbor 172.28.2.1 allowas-in 10
neighbor 172.28.2.1 soft-reconfiguration inbound
no auto-summary
R3#
R1 BGP Table, Advertised Route, Received Routes
R1#sh ip bgp
BGP table version is 6, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 1.1.1.1/32 172.28.1.1 0 2 1 i
*> 0.0.0.0 0 32768 i
*> 3.3.3.3/32 172.28.1.1 0 2 3 ?
*> 4.4.4.4/32 172.28.1.1 0 2 3 ?
*> 172.28.2.0/30 172.28.1.1 0 2 3 ?
*> 192.168.3.0/30 172.28.1.1 0 2 3 ?
R1#
R1#sh ip bgp neighbors 172.28.1.1 advertised-routes
BGP table version is 6, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 0.0.0.0 0 32768 i
Total number of prefixes 1
R1#
R1#sh ip bgp neighbors 172.28.1.1 received-routes
BGP table version is 6, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 1.1.1.1/32 172.28.1.1 0 2 1 i
*> 3.3.3.3/32 172.28.1.1 0 2 3 ?
*> 4.4.4.4/32 172.28.1.1 0 2 3 ?
*> 172.28.2.0/30 172.28.1.1 0 2 3 ?
*> 192.168.3.0/30 172.28.1.1 0 2 3 ?
Total number of prefixes 5
R1#
R2 BGP Table, Advertised Route, Received Routes
R2#sh ip bgp
BGP table version is 7, local router ID is 172.28.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 172.28.1.2 0 0 1 i
*> 3.3.3.3/32 172.28.2.2 0 0 3 ?
*> 4.4.4.4/32 172.28.2.2 156160 0 3 ?
r> 172.28.2.0/30 172.28.2.2 0 0 3 ?
*> 192.168.3.0/30 172.28.2.2 0 0 3 ?
R2#
R2#
R2 Received routes from R1
R2#sh ip bgp neighbors 172.28.1.2 received-routes
BGP table version is 7, local router ID is 172.28.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 172.28.1.2 0 0 1 i
Total number of prefixes 1
R2#
R2 Advertised routes to R1
R2#sh ip bgp neighbors 172.28.1.2 advertised-routes
BGP table version is 7, local router ID is 172.28.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 172.28.1.2 0 0 1 i
*> 3.3.3.3/32 172.28.2.2 0 0 3 ?
*> 4.4.4.4/32 172.28.2.2 156160 0 3 ?
r> 172.28.2.0/30 172.28.2.2 0 0 3 ?
*> 192.168.3.0/30 172.28.2.2 0 0 3 ?
Total number of prefixes 5
R2#
R2 Received routes from R3
R2#sh ip bgp neighbors 172.28.2.2 received-routes
BGP table version is 7, local router ID is 172.28.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 3.3.3.3/32 172.28.2.2 0 0 3 ?
*> 4.4.4.4/32 172.28.2.2 156160 0 3 ?
r> 172.28.2.0/30 172.28.2.2 0 0 3 ?
*> 192.168.3.0/30 172.28.2.2 0 0 3 ?
Total number of prefixes 4
R2#
R2 Advertised routes to R3
R2#sh ip bgp neighbors 172.28.2.2 advertised-routes
BGP table version is 7, local router ID is 172.28.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 172.28.1.2 0 0 1 i
*> 3.3.3.3/32 172.28.2.2 0 0 3 ?
*> 4.4.4.4/32 172.28.2.2 156160 0 3 ?
r> 172.28.2.0/30 172.28.2.2 0 0 3 ?
*> 192.168.3.0/30 172.28.2.2 0 0 3 ?
Total number of prefixes 5
R2#
R3 BGP Table, Advertised Route, Received Routes
R3#sh ip bg
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 172.28.2.1 0 2 1 i
* 3.3.3.3/32 172.28.2.1 0 2 3 ?
*> 0.0.0.0 0 32768 ?
* 4.4.4.4/32 172.28.2.1 0 2 3 ?
*> 192.168.3.2 156160 32768 ?
* 172.28.2.0/30 172.28.2.1 0 2 3 ?
*> 0.0.0.0 0 32768 ?
* 192.168.3.0/30 172.28.2.1 0 2 3 ?
*> 0.0.0.0 0 32768 ?
R3#
R3#sh ip bgp neighbors 172.28.2.1 advertised-routes
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 3.3.3.3/32 0.0.0.0 0 32768 ?
*> 4.4.4.4/32 192.168.3.2 156160 32768 ?
*> 172.28.2.0/30 0.0.0.0 0 32768 ?
*> 192.168.3.0/30 0.0.0.0 0 32768 ?
Total number of prefixes 4
R3#
R3#sh ip bgp neighbors 172.28.2.1 received-routes
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 172.28.2.1 0 2 1 i
* 3.3.3.3/32 172.28.2.1 0 2 3 ?
* 4.4.4.4/32 172.28.2.1 0 2 3 ?
* 172.28.2.0/30 172.28.2.1 0 2 3 ?
* 192.168.3.0/30 172.28.2.1 0 2 3 ?
Total number of prefixes 5
R3#I agree with the previous posters. What you could do is look at show bgp ipv4 unicast 1.1.1.1 on R2. You will find that the prefix is associated with an update group. An update group is an optimisation within the router BGP process to reduce the processing overhead for generating updates to peers. If two peers have exactly the same outbound routing policy they would be in the same update group. If you looked at the update group show bgp ipv4 unicast update-group <number> you would probabably find that it would contain the peers 172.28.1.2 and 172.28.2.2.
This would mean that the 1.1.1.1 would be replicated to R1 and R3. Without remoteas-in configured R1 would reject the prefix due the AS path containing AS1 - you can see this if you look at the output from show bgp ipv4 unicast neighbor 172.28.1.1 towards the bottom you will see the quantity of prefixes that have been rejected and why - use debug ip bgp updates if you want to see this in real time.
When remoteas-in is configured the prefix from R2 is accepted into the BGP table - however this is irrelevant as it will never become the best-path due to the weight 32768 for the local origination. If R1 peered with R4 via eBGP for example only this best path would advertised and hence nothing is broken.
HTH -
How to set up Split Tunneling on ASA 5505
Good Morning,
I have an ASA 5505 with security plus licensing. I need to set up split tunneling on the ASA and not sure how. I am very new to Cisco but am learning quickly. What I want to accomplish, if possible is to send all traffic to our corporate web site (static ip address) straight out to the internet and all other traffic to go though the tunnel as normal. Basically we have a remote office that is using a local ISP to provide internet service. IF our connection at the main office goes down, we want the branch office to still be able to get to our corporate website without having to unplug cables and connect their computer directly to the local ISP modem. Any help with be greatly appriciated. Thanks in advance. Below is a copy of our current config.
ASA Version 7.2(4)
hostname TESTvpn
enable password rBtWtkaB8W1R3ub8 encrypted
passwd rBtWtkaB8W1R3ub8 encrypted
names
name 10.0.0.0 Corp_LAN
name 192.168.64.0 Corp_Voice
name 172.31.155.0 TESTvpn
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Corp_Voice
security-level 100
ip address 172.30.155.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
object-group network SunVoyager
network-object host 64.70.8.160
network-object host 64.70.8.242
object-group network Corp_Networks
network-object Corp_LAN 255.0.0.0
network-object Corp_Voice 255.255.255.0
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 any
access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0 any
access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
access-list VPN extended permit ip TESTvpn 255.255.255.0 any
access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
pager lines 24
logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Corp_Voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list data-vpn
nat (inside) 1 TESTvpn 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Corp_Voice) 0 access-list voice-vpn
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Corp_Voice_access_in in interface Corp_Voice
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http TESTvpn 255.255.255.0 inside
http Corp_LAN 255.0.0.0 inside
http 65.170.136.64 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 66.170.136.65
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh Corp_LAN 255.0.0.0 inside
ssh TESTvpn 255.255.255.0 inside
ssh 65.170.136.64 255.255.255.224 outside
ssh timeout 20
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd option 150 ip 192.168.64.4 192.168.64.3
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 10.10.10.7 10.10.10.44 interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside
dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
dhcpd domain sun.ins interface Corp_Voice
dhcpd enable Corp_Voice
username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
tunnel-group 66.170.136.65 type ipsec-l2l
tunnel-group 66.170.136.65 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:953e50e9cbc02e1b264830dab4a3f2bd
: endSo I tried to use the exclude way that you suggested. Here is my new config. It is still not working. The address I put in for the excluded list was 4.2.2.2 and when I do a trace route to it from the computer, it still goes though the vpn to the main office and out the switch at the main office and not from the local isp. Any other suggestions?
hostname TESTvpn
domain-name default.domain.invalid
enable password rBtWtkaB8W1R3ub8 encrypted
passwd rBtWtkaB8W1R3ub8 encrypted
names
name 10.0.0.0 Corp_LAN
name 192.168.64.0 Corp_Voice
name 172.31.155.0 TESTvpn
interface Vlan1
nameif inside
security-level 100
ip address 172.31.155.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Corp_Voice
security-level 100
ip address 172.30.155.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network SunVoyager
network-object host 64.70.8.160
network-object host 64.70.8.242
object-group network Corp_Networks
network-object Corp_LAN 255.0.0.0
network-object Corp_Voice 255.255.255.0
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 a
ny
access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0
any
access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
access-list VPN extended permit ip TESTvpn 255.255.255.0 any
access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list TEST standard permit host 4.2.2.2
pager lines 24
logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Corp_Voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list data-vpn
nat (inside) 1 TESTvpn 255.255.255.0
nat (Corp_Voice) 0 access-list voice-vpn
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Corp_Voice_access_in in interface Corp_Voice
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http TESTvpn 255.255.255.0 inside
http Corp_LAN 255.0.0.0 inside
http 65.170.136.64 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 66.170.136.65
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh Corp_LAN 255.0.0.0 inside
ssh TESTvpn 255.255.255.0 inside
ssh 65.170.136.64 255.255.255.224 outside
ssh timeout 20
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd option 150 ip 192.168.64.4 192.168.64.3
dhcpd address 172.31.155.10-172.31.155.30 inside
dhcpd dns 10.10.10.7 10.10.10.44 interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside
dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
dhcpd domain sun.ins interface Corp_Voice
dhcpd enable Corp_Voice
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy excludespecified
split-tunnel-network-list value TEST
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
tunnel-group 66.170.136.65 type ipsec-l2l
tunnel-group 66.170.136.65 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b3caaecf2a0dec7334633888081c367
: end -
Hi,
Wondering any one has successfully set route tag for EIGRP routes?
What I am trying to achieve here is to set route tag for the summary routes of the connected interfaces and subnets of some other connected interfaces.
Let's say an ISR router R1 with IOS 15.1(4)M3 has three interfaces running with EIGRP.
Interface Gi0/0
ip add 172.16.0.1/24
summary-add 172.16.0.0/16
Interface Gi0/1
ip add 172.16.1.1/24
summary-add 172.16.0.0/16
Interface Gi0/2
ip add 192.168.2.1/24
I am having difficulty to set route tag for summary add 172.16.0.0/16 and 192.168.2.0/24 before they get advertised to another router.
Any idea please?
Thanks
CedarDuplicate posts.
Go here: https://supportforums.cisco.com/discussion/12256521/isr-router-eigrp-route-tag -
Overwrite dynamic (eigrp) route when external dials into router
Hi
I would like to find a way to overwrite a dynamic (eigrp) route with a routing entry pointing to a dialer interface, when someone has dialed into this dialer interface.
Does someone of you knows a way how this can be done?
Thanks in advance and kind regards
MarkThanks tor you reply.
Until now I have heard of reverse route injection only in conjunction with setting up vpn connections. And a quick search doesn't shows much. But I keep on searching.
Maybe I should tell something more about my setup. There are 2 routers (both 2612). On the LAN side the do hsrp. And on the WAN side each of them has 2 BRI interfaces connected to a multi-line-hunting-group for dialin and dialout. On the LAN I do eigrp and so overwrite a static route pointing to the dialer on the second router because of an administrativ distance of 200 at the static route.
When dialing out everything works fine. But when someone dials in to the second router (which is the hsrp standby one) the routing table of this router isn't changed/updated. I Bad expected something like a "directly connected" event puts a new entry in the routing table pointing to the now connected dialer Interface. But this does not happen.
What I'm looking for is a way how this can be done, so that these is a backward pointing route on the hsrp standby router for the dialed in sides.
Is there a way to do this?
Regards
Mark -
Planning Horizon & Direct procurement
Hi, how touse the tabs planning horizon & direct procurement in oppr screen while running mrp?
Hi Yadav
The Settings of
1) Planning Horizon in OPPR is meant for using Processing key - -NETPL (Net change for planning horizon) during MRP run : If u maintain the data say 100 days in this field that mean only those materials are planned in the planning run that have a change relevant to MRP within the period (in work days).The length of the planning horizon should at least include the following:
period in which customer orders enter
delivery times
complete material processing time
This setting is useful to restrict u r planning Horizon length to defined no of days say 100 days
2) Direct Procurement : The setting controls whether direct procurement is initiated by the planning run or by the production order.Using this indicator, you can procure non-stock items directly for an order, bypassing the warehouse.Direct procurement for "parts to be provided" is not supported in subcontracting.
U have to use Special Procurement key in Material master
Regards
Brahmaji -
Migration from 7600 to ASR9k - split horizon groups
Hi,
On 7600 I have a set of service instances. For example:
service instance 7583 ethernet
encapsulation dot1q 2007 second-dot1q 420
rewrite ingress tag pop 2 symmetric
bridge-domain 11
service instance 420 ethernet
encapsulation dot1q 2004 second-dot1q 420
rewrite ingress tag pop 2 symmetric
bridge-domain 11 split-horizon
service instance 7694 ethernet
encapsulation dot1q 2002 second-dot1q 420
rewrite ingress tag pop 2 symmetric
bridge-domain 11 split-horizon
int vlan 11
ip vrf forw Test
ip address 1.1.1.1 255.255.255.128
To convert this to IOS-XR - how should I specify split horizon?
Like this?
interface Ten0/1/0/0.7583 l2transport
encapsulation dot1q 2007 second-dot1q 420
rewrite ingress tag pop 2 symmetric
interface Ten0/1/0/0.420 l2transport
encapsulation dot1q 2004 second-dot1q 420
rewrite ingress tag pop 2 symmetric
interface Ten0/1/0/0.7694 l2transport
encapsulation dot1q 2002 second-dot1q 420
rewrite ingress tag pop 2 symmetric
interface BVI11
description Test
vrf Test
ipv4 address 1.1.1.1/25
l2vpn
bridge group BG-TEST
bridge-domain BD-TEST-11
interface Ten0/1/0/0.7583
interface Ten0/1/0/0.420
interface Ten0/1/0/0.7694
Or like this:
<config omitted>
l2vpn
bridge group BG-TEST
bridge-domain BD-TEST-11
interface Ten0/1/0/0.7583
split-horizon group
interface Ten0/1/0/0.420
split-horizon group
interface Ten0/1/0/0.7694
split-horizon group
In short: Do I need to specify "split-horizon group"?
/JorgenJorgen,
your second example is how to go about it.
in your l2vpn configuration and then underneath the bridge-domain section you define your EFPs (l2transport interfaces) and you can take them out of the default split horizon group.
Three SHG groups are defined for VPLS(SHG0,SHG1 and SHG2). By default, all the
bridge-ports( AC or PW ) come in SHG0. When a Split horizon-group is configured
under the Bridge-port( either under AC or PW) they come in SHG2.
PWs defined under VFI come in SHG1.
By definition, Bridge-ports in same SHG(SHG1 and SHG2) won't talk to each
other ( this is not applicable for SHG0 though ).
SHG0 --- > SHG0,SHG1 and SHG2
SHG1 --- > SHG0 and SHG2
SHG2 ----> SHG0 and SHG1
xander -
Setting up airport extreme to replace netgear router
Hi,
Thanks in advance for help and advice with this one. Im desperate to replace my unreliable netgear router so i bought a Apple Airport Extreme base station (Generation 6).
At the moment I have my satellite box (tooway satellite provided by europasat) plugged into my netgear router and can access the internet via the wifi. I also have my airport extreme WAN port plugged into one of the netgear router ethernet bays. So effectively I have 2 wireless networks and can connect to the internet with both.
I tried removing my netgear router from the system and plugging my satellite box directly into the airport extreme and started set up. The airport extreme sets up ok but i just get an orange light for the internet.. I have tried using static IP, DCHP etc and also changing it from off bridge mode to DCHP and DCHP and NAT but i get various errors. Its keeps asking for a DNS address but i don't know what to enter..
If i look on my router setup its currently set to get IP addresses dynamically from the ISP.
Can anyone help me set this up properly without the netgear router (which constantly resets and drops the internet connection!!)
I just need a reliable home network that can connect several macs, iPads and iPhones, PS4 etc
Happy to paypal a small contribution for anyone who can help.
Thanks,
Adammy details were IP address 10.100.38.234
As we suspected, your satellite provider is giving you a "private" IP address, and not the "public" IP address that you should be receiving. There is nothing wrong with the Netgear router, but it sounds like you have the AirPort Extreme connected at this time.
"Off" Bridge Off would normally be the correct setting to use with your satellite "modem" since it is behaving as if it were another router.
Unfortunately, you will have to use the DHCP and NAT setting on your AirPort Extreme to compensate for the incorrect IP address assignments that your satellite service is providing to you. Since your satellite "modem" is already providing NAT service, and the AirPort Extreme is as well, you have two devices both trying to do NAT.......that is why you see the Double NAT error.
Unless you can get your satellite provider to provide you with a "public" IP address, you will have to continue to run the AirPort Extreme in the Double NAT setup and hope for the best. You might be able to get away with this error on a simple home network.
If you do not want to see the blinking amber light, open AirPort Utility and click on the AirPort Extreme. A smaller window will appear. Look for a Status setting and click on the small amber dot next to Status. Another window will appear with an option to "Ignore" the Double NAT error. That will give you a green light on the AirPort Extreme, and hopefully things will work.
Double NAT can cause a number of unpredictable things to occur on a network, but the most common is slow browsing on the Internet, and/or you may be able to get to some web pages, but not others.
Hopefully, things will work OK for you since you really will no other options to set up the AirPort Extreme correctly until you receive the correct public IP address that you deserve from your satellite provider. You might want to speak to them about this and let them know that you are on to their tricks, though. -
To Clear A PAssive EIGRP Route
We have a Cisco router which has learned an incorrect passive eigrp route; we would like to clear this route from the router but don't know how.
We'd like to avoid rebooting the router if possible.
Any info on this is appreciated.Hello,
where from the route was injected into EIGRP? As long as the route is injected it will be announced to all EIGRP routers. "Passive" means just, that the route is learned and no queries are unanswered. This is the normal state of any route in EIGRP.
So to get rid of the route you should have a look at the router injecting it and reconfigure it to not advertise it.
Hope this helps! please rate all posts.
Regards, Martin -
How would I stop eigrp routes being advertised so that it doesnt keep bringing up my isdn line, what do I put on the access list ?
access-list 100 deny eigrp any any
access-list 100 permit ip any any
!--- EIGRP routing packets are denied in the dialer-list.
!--- This prevents eigrp packets from keeping the link up.
!--- Adjust the interesting traffic depending on your traffic definitions.
dialer-list 1 protocol ip list 100
http://www.cisco.com/en/US/tech/tk713/tk237/technologies_configuration_example09186a00800a3b77.shtml -
Setting up time capsule with existing wireless router and another time capsule
Hello,
I just bought my first mac (MBP) and a time capsule. We already have a wireless router, and my brother has an imac and his time capsule connected to it. The apple support people said that i couldn't use my new time capsule as a backup for my files because it would have to be in bridge mode and that would cause all sorts of problems and the backup would probably fail. That I would have to use my brother's time capsule to back up my files.
Is this true?? I find it hard to believe this issue hasn;t come up before.
Thanks,
DeborahThanks, Bob! If I may impose on you a little bit more, would you be able to guide me a little bit in terms of the setup?
Would I need to connect my time capsule directly to the router for first time set up?
If so, would I have to keep it connected to the router all the time after the first time set up, or can I keep it in another room?
Our wireless network was created back when we were a Windows household, so we still control it using Network Magic on an old laptop.
I unlocked the network (using Network Magic) when I tried to set up the Time Capsule (wirelessly, and before calling Apple), and after entering the network password my macbook recognized the TC and I got the good little green light on the TC. As soon as I locked up the network, I got the flashing amber light on the TC and airport utility couldn't find it anymore (using Airport utility version 6.1)... I unlocked the network again, the light turned green. I locked it back up, the light started flashing amber again...
Thanks, I really appreciate your help!
Deborah -
Cisco WebEx Meetings Server-Internal IRP vs Split Horizon
Hi,
We are planning to install CWMS 1.1 but not able to decide among below two topology -
a.Internal Internet Reverse Proxy with all virtual machines including IRP in same internal network(ie no IRP in DMZ).
b.Split Horizon with IRP in DMZ network.
I would prefer option a.(all VM in internal network) as fewer changes on the firewall(allow potrt 80 & 443 from external to internal) but not sure how risky it is as will be allowing all external internet traffic directly to IRP internal on port 80 & 443.Will we be compromising on security if we go with this option?
Please suggest which option is recommended .I have gone through the pros & cons mentioned in CWMS planning guide 1.1.
Thanks
KMSSrdjan, KMS,
Appologies to jump in, but I am also doing a 50 port installation. I am leaning towards internal topology as well as it appears to be less complex and best preforming.
Srjdan,
+5 for the info. Can you please confirm if below applies to 50 port systems as well? Do we need to have a minimum of two boxes to install split-horizon-topology?
"On another hand for that deployment you need 2 HW box's."
I was under the impression we can patch the physical CWMS server onto a DMZ switch and can do split-horizon-topology with only one hadware box. Can you please confirm if thats possible at all?
I tried to raise a request with PDI and was rejected that PDI at the moment is not supporting this product.
I have same queries - let me know I can open a separate thread if you want.
1) How much of a security risk it invloves doing Internal IRP?
2) Is there any additional Cisco device we can recommend to the customer to add extra layer of security to the solution?
3) We have only one hardware box - what would be the best design in that scenario? (50 port installation)
Terry -
Hello all.
I have just set up a new cisco DPQ3925 wireless router that Optus sent me to be able to access the higher speed internet I have signed up for.
I have a 4th gen apple extreme that I want to use to extend the wifi but when I try to update the settings via the airport utility I get a message that says it cannot do so, and to check it is in range and the wifi is set up correctly. I'm not experienced with these things but I can't think what I have done wrong.
Is anybody able to help me please.You cannot use the AE to extend wireless from a non apple router such as your cisco modem router.. they are not compatible..
You need to tie to the two devices together either with ethernet or something like EOP adapters.. They are about $120 and you can price match in officeworks.
Maybe you are looking for
-
Files with "alien" names in directories with very long path names
Hi all, first of all - I dont know if this is the right forum for my Question, but I could not find any better ;-) I have a problem with some files with "alien" names with MIXED characters from different foreign countries (e.g. "Φέτα (τυρί) 只有沙盒或您的用户
-
product - PC Toshiba satellite pro Windows Iphone 3 Model MC603b/a PC and Iphone were previously successfully associated. I have removed the device from the PC but cannot reconnect it
-
Hi All, OS:Solaris DB:10G When i am trying to create database manually over putty i am facing the below mantioned error: SQL> CREATE DATABASE ettest>2 USER SYS IDENTIFIED BY **** >3 USER SYSTEM IDENTIFIED BY ***** >4 LOGFILE GROUP 1 ('/11g/oradata/ad
-
Output type & example sales doc
Hi all, As we all know, we can get example billing doc which use the definited output type to print through T-code: VF31. Similarly, we also want there existed T-code which can help us to find the example sales doc which used the definited output typ
-
Im having some serious issues with my G5. Everytime i start my computer up it workd for about 5 minutes and then beachballs. I have used disc utility to repair permissions and disc and have received no errors. I use tech tools4, and midway through th