Static vs OSPF Traffic Failover

Similar Messages

• Redistribute static in OSPF and EIGRP

  When use "redistribute static" in OSPF OR eigrp, does it also redistribute connected networks?
  When use "sh ip eigrp topology", the entries with "via RStatic" indicate a redistribution of static routes, corret?

  Hello,
  redistribute static will redistribute all static routes found in the IP routing table. In case you want to announce the connected interfaces you have two options:
  1) router ospf 10
  network 192.168.1.1 0.0.0.0 area 0
  for
  interface Ethernet0
  ip address 192.168.1.1 255.255.255.0
  2) router ospf 10
  redistribute connected
  The same applies for EIGRP.
  Hope this helps! Please rate all posts.
  Martin

• Is it possible in IOS to have two static routes for the same subnet, one a higher priority and "failover" between the 2?

  Hi All
  Is it possible in IOS to have for a particular subnet:
  a) Two static routes?
  b) Make one static route a higher priority than the other?
  c) If one static router "goes down", failover to the lower priority static route?
  We have a l2tp/vpdn connection to a supplier which can be accessed via two vlans/routes. I would like to make one route the preferred one but the "route" to failover if the preferred route goes down.
  Again, many thanks in advance for all responses!
  Thanks
  John

  Hi John,
  Hope the below explaination will help you...
  R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2
  R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
  If you notice the Administrative Distance for the secondary route pointing to ISP2 is increased to 10 so that it becomes the backup link.
  The above configuration with just two floating static routes partially accomplishes our requirement as it will work only in the scenario where the routers interfaces connected to the WAN link are in up/down or down/down status. But in a lot of situations we see that even though the links remain up but we are not able to reach the gateway, this usually happens when the issue is at the ISP side.
  In such scenarios, IP SLAs becomes an engineer's best friend. With around six additional IOS commands we can have a more reliable automatic failover environment.
  Using IP SLA the Cisco IOS gets the ability to use Internet Control Message Protocol (ICMP) pings to identify when a WAN link goes down at the remote end and hence allows the initiation of a backup connection from an alternative port. The Reliable Static Routing Backup using Object Tracking feature can ensure reliable backup in the case of several catastrophic events, such as Internet circuit failure or peer device failure.
  IP SLA is configured to ping a target, such as a publicly routable IP address or a target inside the corporate network or your next-hop IP on the ISP's router. The pings are routed from the primary interface only. Following a sample configuration of IP SLA to generate icmp ping targeted at the ISP1s next-hop IP.
  R1(config)# ip sla 1
  R1(config)# icmp-echo 2.2.2.2 source-interface FastEthernet0/0
  R1(config)# timeout 1000
  R1(config)# threshold 2
  R1(config)# frequency 3
  R1(config)# ip sla schedule 1 life forever start-time now
  The above configuration defines and starts an IP SLA probe.
  The ICMP Echo probe sends an ICMP Echo packet to next-hop IP 2.2.2.2 every 3 seconds, as defined by the “frequency” parameter.
  Timeout sets the amount of time (in milliseconds) for which the Cisco IOS IP SLAs operation waits for a response from its request packet.
  Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation.
  After defining the IP SLA operation our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:
  R1(config)# track 1 ip sla 1 reachability
  The above command will track the state of the IP SLA operation. If there are no ping responses from the next-hop IP the track will go down and it will come up when the ip sla operation starts receiving ping response.
  To verify the track status use the use the “show track” command as shown below:
  R1# show track
  Track 1
  IP SLA 1 reachability
  Reachability is Down
  1 change, last change 00:03:19
  Latest operation return code: Unknown
  The above output shows that the track status is down. Every IP SLAs operation maintains an operation return-code value. This return code is interpreted by the tracking process. The return code may return OK, OverThreshold, and several other return codes.
  Different operations may have different return-code values, so only values common to all operation types are used. The below table shows the track states as per the IP SLA return code.
  Tracking
  Return Code
  Track State
  Reachability
  OK or over threshold
  (all other return codes)
  Up
  Down
  The Last step in the IP SLA Reliable Static Route configuration is to add the “track” statement to the default routes pointing to the ISP routers as shown below:
  R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
  R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
  The track number keyword and argument combination specifies that the static route will be installed only if the state of the configured track object is up. Hence if the track status is down the secondary route will be used to forward all the traffic.
  Please rate the helpfull posts.
  Regards,
  Naidu.

• What is solution of nat failover with 2 ISPs?

  Now I have lease line link to 2 ISPs for internet connection. I separate packets of users by accesslist such as www go to ISP1 and mail or other protocol go to ISP2 . Let's say link go to ISP1 down I need www traffics failover to ISP2 and vice versa.
  Problem is acl on nat statement?
  If you config about this.
  access-l 101 permit tcp any any www -->www traffic to ISP1
  access-l 101 permit tcp any any mail --> back up for mail packet to ISP2 down
  access-l 102 permit tcp any any mail -->mail packet to ISP2
  access-l 102 permit tcp any any www --> back up for www traffic go to ISP2
  ip nat inside source list 101 interface s0 overload
  ip nat inside source list 102 interface s1 overload
  In this case is links of ISP1 and ISP2 are UP.
  when you apply this acl on nat statement then nat will process each statement in order( if I incorrect please correct me) so mail traffics will match in this acl and then nat with ip of ISP1 only.
  please advice solution about this
  TIA

  Hi,
  If you have two serial links connecting to two diff service provider , then you can try this .
  access-l 101 permit tcp any any www
  access-l 102 permit tcp any any mail
  route-map isp1 permit 10
  match ip address 101
  set interface s0
  route-map isp2 permit 10
  match ip address 102
  set interface s1
  ip nat inside route-map isp1 interface s0 overload
  ip nat inside source route-map isp2 interface s1 overload
  ip nat inside source list 103 interface s0 overload
  ip nat inside source list 104 interface s1 overload
  ip route 0.0.0.0 0.0.0.0 s0
  ip route 0.0.0.0 0.0.0.0 s1 100
  In case if any of the link fails , automatically the other traffic would prefer the other serial.
  I have not tried the config , just worked out the config on logic .pls go through and try if possible
  pls see the note2 column
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#related
  Hope it helps
  regards
  vanesh k

• Static NAT and multiple WAN (DSL) ports

  Hi,
  we have a hardware router with 3 ADSL/SDSL lines. The SDSL has a range of public IP addresses.
  We assigned these public IP adresses as DMZ to the hardware router, and added some of the IP's as secondary IP addresses on the BM's public interface. Filters have been disabled for testing, and we could ping the secondary IP's from the internet.
  In the next step, we set up a static NAT to a server in the private LAN, which should be reached from travelling users. Pinging the natted address from the internet reached the server (seen with etherreal), but BM did not set the public IP as the source of the ping reply.
  For testing, we set a static route on the BM to the PC on the internet, using the DMZ as default gateway, which was used for testing, and that worked fine.
  Is there a chance to get the reply from the natted Server back to the DMZ, where the request came from? Setting static routes isnt possible, because users come with changing IP addresses.
  Detlef

  In article <[email protected]>, Pinkel wrote:
  > Is there a chance to get the reply from the natted Server back to the
  > DMZ, where the request came from? Setting static routes isnt possible,
  > because users come with changing IP addresses.
  >
  This is a routing issue, with a possible workaround.
  When the BMgr server gets a packet it needs to route, it's going to look
  in its routing tables to know which interface to send it from, and which
  IP address will be the next hop. Traffic coming inbound will naturally
  leave the private interface and route normally to the internal address.
  Traffic going back to the internet is another matter.
  Traffic from the internet is, naturally, going to have a public IP
  address that will not be in the BMgr server's routing tables, unless you
  put in a static route. If the destination address for a packet is not
  in the BMgr routing table, it will send the packet to the only choice it
  has: the default route. Thus, all outbound non-static-nat'd traffic
  will end up going out the default route.
  I have used, on occasion, a workaround that forces traffic coming in
  from one link to go back out that link. If you think of how BMgr
  (NetWare) is routing replies to these packets, you realize that the only
  way it is going to go back out link B (if link A is the default) is if
  the packet actually comes from the address for link B. The way I've
  made this happen is to enable dynamic NAT on the link B address. (For
  instance, Cisco router with link B, totally different subnet - due to
  isp changeover - from link A. Link A was the default. Enabled NAT with
  overload on link B LAN address, and BMgr then saw all packets coming in
  from that router as local packets simply coming from the link B LAN
  address. So it replied to link B. However, all outbound (non-reply)
  traffic to the internet still went out link A. I've also configured a
  second internet link for VPN only usage, but that was no more than a
  static route entry.)
  Craig Johnson
  Novell Support Connection SysOp
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to http://www.craigjconsulting.com ***

• Lesson BGP & OSPF path selection in VSS routing environment

  Hi, I would like a lesson on how traffic is passed in the following environment:
  One 3945 router with interfaces connected to a pair of 4500X switches configured as VSS pair. One link into each of the 4500 running as routed interfaces using separate IP subnets meaning there are two equal cost paths between the router and the 4500X.
  We are running a single OSPF area and iBGP between the devices. 
  I would like to find out, in normal circumstances where both equal cost links are operating normally, how the 4500 selects the path to send a packet to the router.  We would be trying to avoid traffic passing through the VSL but want to know if the system is smart enough to do that.
  Is there somebody out there who can tell me if the VSS process will select the path directly to the router or if it cannot be guaranteed to do so.
  I also would like to get opinions on whether it is best to create two iBGP neighbour relationships on the link addresses or one relationship between the loopback addresses.
  Thanks 
  LP

  Hi,
  The OSPF traffic would not pass through the VSL link.  The path would directly go from each 4500 to the 3945 (Equal cost load balancing). I think, the 3900 series supports Etherchannel, if this is the case you can also create a L-3 Portchannel between the VSS and 3945 router.  This way you use one /30 instead of 2 and you still have redundancy.  For BGP, I would do one peering with Loopbacks.
  HTH

• Another TCP Reassembly Queue Issue - Help Understanding Sh IP Traffic Results

  I recently started seeing the TCP Out-of-Order blurbs on my 1921/k9 routers logs. See following....
  *Oct 28 06:41:32.793: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1475532578 1500 bytes is out-of-order; expected seq:2819411594. Reason: TCP reassembly queue overflow - session 192.168.10.11:58675 to 23.77.232.34:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
  *Oct 28 15:09:21.539: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:79628295 1488 bytes is out-of-order; expected seq:79600783. Reason: TCP reassembly queue overflow - session 192.168.10.25:55690 to 206.19.48.10:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
  *Oct 28 15:16:44.803: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1210068379 1500 bytes is out-of-order; expected seq:3084764253. Reason: TCP reassembly queue overflow - session 192.168.10.13:50591 to 107.167.193.162:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
  I temporarily disabled TCP Queue length logs (setting to 0) after having changed to several options including 128 and 1024 did not help. The output of Sh IP Traffic....
  "Router#sh ip traffic
  IP statistics:
    Rcvd:  411466 total, 163659 local destination
           0 format errors, 0 checksum errors, 2 bad hop count
           0 unknown protocol, 1 not a gateway
           0 security failures, 0 bad options, 0 with options
    Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
           0 timestamp, 0 extended security, 0 record route
           0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
           0 other
    Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
           0 fragmented, 0 fragments, 0 couldn't fragment
    Bcast: 162854 received, 415 sent
    Mcast: 0 received, 0 sent
    Sent:  5560 generated, 18211176 forwarded
    Drop:  22 encapsulation failed, 0 unresolved, 0 no adjacency
           2383 no route, 0 unicast RPF, 0 forced drop
           0 options denied
    Drop:  0 packets with source IP address zero
    Drop:  0 packets with internal loop back IP address
           0 physical broadcast
  ICMP statistics:
    Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 0 unreachable
          11 echo, 0 echo reply, 0 mask requests, 0 mask replies, 0 quench
          0 parameter, 0 timestamp, 0 timestamp replies, 0 info request, 0 other
          0 irdp solicitations, 0 irdp advertisements
          0 time exceeded, 0 info replies
    Sent: 2028 redirects, 2809 unreachable, 35 echo, 11 echo reply
          0 mask requests, 0 mask replies, 0 quench, 0 timestamp, 0 timestamp replies
          0 info reply, 2 time exceeded, 0 parameter problem
          0 irdp solicitations, 0 irdp advertisements
  BGP statistics:
    Rcvd: 0 total, 0 opens, 0 notifications, 0 updates
          0 keepalives, 0 route-refresh, 0 unrecognized
    Sent: 0 total, 0 opens, 0 notifications, 0 updates
          0 keepalives, 0 route-refresh
  PIMv2 statistics: Sent/Received
    Total: 0/0, 0 checksum errors, 0 format errors
    Registers: 0/0 (0 non-rp, 0 non-sm-group), Register Stops: 0/0,  Hellos: 0/0
    Join/Prunes: 0/0, Asserts: 0/0, grafts: 0/0
    Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0
    Queue drops: 0
    State-Refresh: 0/0
  IGMP statistics: Sent/Received
    Total: 0/0, Format errors: 0/0, Checksum errors: 0/0
    Host Queries: 0/0, Host Reports: 0/0, Host Leaves: 0/0 
    DVMRP: 0/0, PIM: 0/0
    Queue drops: 0
  TCP statistics:
    Rcvd: 39 total, 0 checksum errors, 37 no port
    Sent: 2 total
  EIGRP-IPv4 statistics:
    Rcvd: 0 total
    Sent: 0 total
  UDP statistics:
    Rcvd: 163487 total, 0 checksum errors, 162603 no port
    Sent: 695 total, 0 forwarded broadcasts
  OSPF statistics:
    Last clearing of OSPF traffic counters never
    Rcvd: 0 total, 0 checksum errors
          0 hello, 0 database desc, 0 link state req
          0 link state updates, 0 link state acks
    Sent: 0 total
          0 hello, 0 database desc, 0 link state req
          0 link state updates, 0 link state acks
  ARP statistics:
    Rcvd: 3651888 requests, 72 replies, 0 reverse, 0 other
    Sent: 159 requests, 28560 replies (225 proxy), 0 reverse
    Drop due to input queue full: 0"
  Would someone be so kind as to help me understand a little about my IP Traffic and what might be going wrong? Thanks for any input. --Tim

  With Queue Length set to 1024:
  Router>show ip inspect statistics
  Interfaces configured for inspection 4294967294
  Session creations since subsystem startup or last reset 0
  Current session counts (estab/half-open/terminating) [0:0:0]
  Maxever session counts (estab/half-open/terminating) [0:0:0]
  Last session created never
  Last statistic reset never
  Last session creation rate 0
  Maxever session creation rate 0
  Last half-open session total 0
  TCP reassembly statistics
    received 0 packets out-of-order; dropped 0
    peak memory usage 0 KB; current usage: 0 KB
    peak queue length 0

• Nexus 7010 OSPF Equal Cost Paths

  Hello,
  I currently have two physical links connecting one data center to another.  These are both 10Gb links and I have manually set the cost to the primary link to '1' and the secondary link to '10'.  My question is, if I set the secondary link to '1' they would have equal cost routes.  What is the selection process at this point?   Will equal cost load balancing automatically kick in and use both links?
  Thank you,
  Scott

  Scott
  Haven't used Nexus switches but generally yes it should do depending on the routing protocol ie. statics, EIGRP, OSPF etc. will use equal cost paths if they are in the routing table.
  BGP is different in that without further configuration it picks just one path so there is only one entry in the routing table.
  By default it will use per destination load sharing and the default on Nexus is destination IP address and port number to choose which link to use.
  "sh ip load-sharing"
  will show you the current method it is using.
  Jon

• Pix/Asa OSPF passive interface

  Hi.
  I am going to have an OSPF process for two internal interfaces. But I also have one external interface where I do not want any OSPF traffic going out. I have not so far found any OSPF PASSIVE INTERFACE type of commands om PIX/ASA. Is there any one out there who knows if there is one command like that or how one can stop OSPF packet from going out. I presume that an outgoing access-list will not stop this traffic.
  Regards Bjorn

  Hi,
  Don't define external interface as partecipating to OSPF process.
  That is you have to define the two interface partecipating to OSPF process:
  view: "Enabling OSPF ". Here is the link:http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ip.html#wp1041629.
  I hope this helps.
  Best regards.
  Massimiliano.

• Failover setup on RV016

  Is it possible to have this setup on RV016?
  WAN1: VOIP traffic (either by port or IP) + failover for WAN 2
  WAN2: all other traffic + failover for WAN1
  WAN3: failover for WAN1 & WAN2 with connection on demand
  Thanks.

  Has anyone else figured this out? I'm getting it on every machine I upgrade and I have about 18 more to go and would like to fix it.
  These are brand new iMac's shipped with Mountain Lion. I turn them on and the third screen asks if you want to transfer items from a backup or another Mac. I choose another Mac. Then use Migration Assistant on the users old machine (running Snow Leopard 10.6.8) and then let it transfer all of their files.
  At just about the end of the transfer the new Mac pops up this error and waits until an action is taken. I've tried every password it could have been on the previous users machine to no avial. The only option appears to be hitting cancel and movi ng on but I'd like to know what is breaking when this happens becase the machines exhibit a strange spinning wheel hang when logging in afterwards?
  Here's a screen shot of the new iMac and the problem:
  Thanks!

• VTI tunnel & OSPF

  Hi all,
  I have configured VTI tunnel interfaces (tunnel mode ipsec ipv4) and OSPF on that interfaces.
  VTI is encrypting all data traffic. But what about OSPF traffic?
  Is OSPF traffic encrypted also or I need to configure OSPF authentication?
  Thanks

  OSPF exchange is already encrypted inside of the tunnel, so u don't have to use ospf-authentication. OSPF uses tunnel IP addresses for communications, and traffic flow between those two addresses is possible only throught the secure tunnel.

• Cisco Nexus 5ks EIGRP and Policy routing question.

  We just got installed a METRO LINK between our primary and secondary data center (Site-A <> Site-B) I would like to be able to route data replication between these two sites over that link, instead of going over MPLS.  We run EIGRP internally and BGP to the MPLS (typical scenario)
  At first I thought about doing ‘Policy Based Routing’ with IP SLA to be able to track and route traffic coming from the 10.10.10.0/24 bound to 10.11.11.0/24 and track link state with IP SLA in case the metro link would go down;  data replication would continue to flow over MPLS.
  In researching this, I found out that Cisco NX-5ks and 6Ks don’t support IP SLA and there is no telling if they will support it any time in future releases either.
  I haven’t turned on routing (EIGRP)  between the two 5ks over the metro link yet. 
  Also, I don’t want to statically route replication traffic over the link unless I have to. It would have to  be a manual change in case I need to re-route it over the MPLS.
  See attached drawing
  Any help would be greatly appreciated.
  Marramix01 

  can you calculate the metrics of the two different links for EIGRP? 
  Once you have that you would know which one EIGRP would say is the best path. Then if the MPLS link is not the primary path then you can use Offset-list to force the traffic to and from subnets and still have failover with EIGRP. 
  I hope I understood your problem correctly. 

• ISM with NAT44 - Need help with configuration

  Hello everyone,
  I'm trying to set up NAT44 in the following scenario below and I'm having a hard time figuring out how to redirect the traffic. As you can see the big problem is that I have one single interface that connects to the internal network (10.0.0.0/8) and also to the tunnel destinations all in the same VRF. Can you guys give me a hand? The trafiic comes from network network 10.0.0.0/8 enters interface bundle-ether 2 (Now it needs to be translated), once it is translated, now it needs to reach the destination known via GRE tunnel.
  Configurations
  vrf NAT_IN
  address-family ipv4 unicast
  vrf BLUE
  address-family ipv4 unicast
  hw-module service cgn location 0/3/CPU0
  interface Bundle-Ether2
  description UPLINK TO METRO ETHERNET
  interface Bundle-Ether2.2 l2transport
  encapsulation dot1q 2
  rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet200/0/0/43
  description LINK TO METRO ETHERNET
  bundle id 2 mode active
  interface GigabitEthernet300/0/0/43
  description LINK TO METRO ETHERNET
  bundle id 2 mode active
  interface BVI2
  description METRO
  vrf BLUE
  ipv4 address 100.0.0.10/24
  interface tunnel-ip 101
  description GRE_TUNNEL
  vrf BLUE
  ipv4 address 1.1.1.1/32
  tunnel mode gre ipv4
  tunnel source interface bvi 2
  tunnel destination 200.0.0.1
  interface BVI 100
  vrf BLUE
  ipv4 address [GATEWAY_100] [MASK_100]
  interface BVI 200
  vrf BLUE
  ipv4 address [GATEWAY_200] [MASK_200]
  interface BVI 300
  vrf BLUE
  ipv4 address [GATEWAY_300] [MASK_300]
  interface ServiceApp1
  vrf NAT_IN
  ipv4 address 10.0.2.1 255.255.255.252
  service cgn CGN service-type nat44
  interface ServiceApp2
  vrf BLUE
  ipv4 address 10.0.2.2 255.255.255.252
  service cgn CGN service-type nat44
  interface ServiceInfra1
  ipv4 address 10.0.3.1 255.255.255.0
  service-location 0/3/CPU0
  router static
  address-family ipv4 unicast
  vrf NAT_IN
  address-family ipv4 unicast
  0.0.0.0/0 ServiceApp1
  10.0.0.0/8 vrf BLUE bvI 2 <NEXT HOP>
  vrf BLUE
  address-family ipv4 unicast
  172.16.0.0/24 ServiceApp2
  router ospf METRO
  vrf BLUE
  router-id [ROUTER_ID]
  redistribute bgp 65500 metric 100
  area 0
  interface bvi 2
  router ospf BLUE
  vrf BLUE
  router-id [ROUTER ID]
  redistribute bgp 65500 metric 100
  area 10
  interface BVI100
  interface BVI200
  interface BVI200
  router bgp 65500
  address-family ipv4 unicast
  address-family vpnv4 unicast
  vrf BLUE
  rd 65500:2
  address-family ipv4 unicast
  redistribute static
  redistribute ospf BLUE
  neighbor 1.1.1.2
  remote-as 64512
  ebgp-multihop 5
  address-family ipv4 unicast
  route-policy PASS in
  route-policy PASS out
  service cgn CGN
  service-location preferred-active 0/3/CPU0
  service-type nat44 nat44
  portlimit 20000
  inside-vrf NAT_IN
  map outside-vrf BLUE address-pool 172.16.0.0/24
  Thanks in advance,
  Renato

  Hi Somnath,
  Let's see if you can help with this new scenario. I want to extend this NAT configuration to a new site (BO1), but instead of using this entire setup with ASR9K, etc, I just want to use ASR9000v module and have this AS9K + ISM as the host. The first problem I see in this scenario is that I have the same 10.0.0.0/8 network in both sites, network which will access the same resources as the devices in the 10.0.0.0/8 in the main site.
  1) Do you think if I create a new inside VRF [NAT_IN1] would address this issue?
  2) Can I use the same outside VRF?
  Here is the configurations.
  !! IOS XR Configuration 4.3.1
  vrf NAT_IN
  address-family ipv4 unicast
    import route-target
     65500:2
     65500:3
    export route-target
     65500:3
  vrf RED
  address-family ipv4 unicast
    import route-target
     65500:1
    export route-target
     65500:1
  vrf NAT_OUT
  address-family ipv4 unicast
    import route-target
     65500:4
    export route-target
     65500:4
  vrf SATELLITE
  vrf BLUE
  address-family ipv4 unicast
    import route-target
     65500:2
    export route-target
     65500:2
  hw-module service cgn location 0/3/CPU0
  ipv4 access-list ABF
  5 permit ospf any any
  10 permit ipv4 any 10.200.0.0 0.0.255.255 nexthop1 vrf NAT_IN ipv4 10.0.2.2
  20 permit icmp any any
  interface Bundle-Ether3
  description Uplink (BE3 - VRF NAT_IN) - VLAN 20
  vrf NAT_IN
  ipv4 address 1.1.1.1 255.255.255.0
  ipv4 access-group ABF ingress
  interface Bundle-Ether22
  description LOOPBACK CABLE NAT_OUT
  vrf NAT_OUT
  ipv4 address 10.0.1.1 255.255.255.0
  interface Bundle-Ether23
  description LOOPBACK CABLE BLUE
  vrf BLUE
  ipv4 address 10.0.1.2 255.255.255.0
  interface 6
  description Uplink  (BE6 - Global) - VLAN 20,51,80-82
  interface 6.2
  ipv4 address 1.1.1.2 255.255.255.0
  encapsulation dot1q 2
  interface 6.51 l2transport
  description EFP - BE6 - VLAN 51
  encapsulation dot1q 51
  rewrite ingress tag pop 1 symmetric
  interface 6.80 l2transport
  description EFP - BE6 - VLAN 80
  encapsulation dot1q 80
  rewrite ingress tag pop 1 symmetric
  interface 6.81 l2transport
  description EFP - BE6 - VLAN 81
  encapsulation dot1q 81
  rewrite ingress tag pop 1 symmetric
  interface 6.82 l2transport
  description EFP - BE6 - VLAN 82
  encapsulation dot1q 82
  rewrite ingress tag pop 1 symmetric
  interface Bundle-Ether100
  description Bundle to Satellite 100
  vrf SATELLITE
  ipv4 point-to-point
  ipv4 unnumbered Loopback0
  nv
    satellite-fabric-link satellite 100
     remote-ports GigabitEthernet 0/0/0-43
  interface Bundle-Ether200
  description Bundle to Satellite 200
  vrf SATELLITE
  ipv4 point-to-point
  ipv4 unnumbered Loopback0
  nv
    satellite-fabric-link satellite 200
     remote-ports GigabitEthernet 0/0/0-43
  interface Bundle-Ether300
  description Bundle to Satellite 300
  vrf SATELLITE
  ipv4 point-to-point
  ipv4 unnumbered Loopback0
  nv
    satellite-fabric-link satellite 300
     remote-ports GigabitEthernet 0/0/0-35
  interface Loopback0
  description MGMT SATELLITE
  vrf SATELLITE
  ipv4 address 10.0.0.254 255.255.255.0
  interface tunnel-ip31101
  description BLUE-TUNNEL01
  vrf BLUE
  ipv4 address 10.200.253.90 255.255.255.252
  tunnel mode gre ipv4
  tunnel source 6.2
  tunnel destination 13.13.13.13
  interface tunnel-ip31102
  description BLUE-TUNNEL02
  vrf BLUE
  ipv4 address 10.200.253.94 255.255.255.252
  tunnel mode gre ipv4
  tunnel source 6.2
  tunnel destination 14.14.14.14
  interface tunnel-ip31103
  description RED-TUNNEL03
  vrf RED
  ipv4 address 10.200.253.90 255.255.255.252
  tunnel mode gre ipv4
  tunnel source 6.2
  tunnel destination 13.13.13.13
  interface tunnel-ip31104
  description RED-TUNNEL04
  vrf RED
  ipv4 address 10.200.253.94 255.255.255.252
  tunnel mode gre ipv4
  tunnel source 6.2
  tunnel destination 14.14.14.14
  interface TenGigE0/0/0/0
  description LINK TO SATELLITE 100
  bundle id 100 mode on
  interface TenGigE0/0/0/1
  description LINK TO SATELLITE 100
  bundle id 100 mode on
  interface TenGigE0/0/0/2
  description LINK TO SATELLITE 200
  bundle id 200 mode on
  interface TenGigE0/0/0/3
  description LINK TO SATELLITE 200
  bundle id 200 mode on
  interface TenGigE0/0/0/4
  description LINK TO SATELLITE 300
  vrf SATELLITE
  ipv4 point-to-point
  ipv4 unnumbered Loopback0
  nv
    satellite-fabric-link satellite 300
     remote-ports GigabitEthernet 0/0/36-43
  interface TenGigE0/0/0/5
  description LINK TO SATELLITE 300
  bundle id 300 mode on
  interface TenGigE0/0/0/16
  description UPLINK  (BE6 - GLOBAL) - VLAN 20,51,80-82
  bundle id 6 mode active
  interface TenGigE0/1/0/16
  description UPLINK  (BE6 - GLOBAL) - VLAN 20,51,80-82
  bundle id 6 mode active
  interface TenGigE0/0/0/17
  description UPLINK  (BE3 - VRF NAT_IN) - VLAN 20
  bundle id 3 mode active
  interface TenGigE0/1/0/17
  description UPLINK  (BE3 - VRF NAT_IN) - VLAN 20
  bundle id 3 mode active
  interface TenGigE0/0/0/22
  description LOOPBACK CABLE TE0/1/0/22
  bundle id 22 mode on
  interface TenGigE0/0/0/23
  description LOOPBACK CABLE TE0/1/0/23
  bundle id 22 mode on
  interface TenGigE0/1/0/0
  description LINK TO SATELLITE 100
  bundle id 100 mode on
  interface TenGigE0/1/0/1
  description LINK TO SATELLITE 100
  bundle id 100 mode on
  interface TenGigE0/1/0/2
  description LINK TO SATELLITE 200
  bundle id 200 mode on
  interface TenGigE0/1/0/3
  description LINK TO SATELLITE 200
  bundle id 200 mode on
  interface TenGigE0/1/0/4
  description LINK TO SATELLITE 300
  bundle id 300 mode on
  interface TenGigE0/1/0/5
  description LINK TO SATELLITE 300
  bundle id 300 mode on
  interface TenGigE0/1/0/22
  description LOOPBACK CABLE TE0/0/0/22
  bundle id 23 mode on
  interface TenGigE0/1/0/23
  description LOOPBACK CABLE TE0/0/0/23
  bundle id 23 mode on
  interface BVI30
  vrf RED
  ipv4 address 10.200.25.193 255.255.255.192
  interface BVI31
  vrf BLUE
  ipv4 address 10.200.1.1 255.255.255.248
  interface BVI32
  vrf BLUE
  ipv4 address 10.200.25.129 255.255.255.224
  interface BVI33
  vrf BLUE
  ipv4 address 10.200.25.1 255.255.255.128
  interface BVI36
  vrf BLUE
  ipv4 address 10.200.237.145 255.255.255.240
  interface BVI51
  vrf RED
  ipv4 address 192.168.7.12 255.255.255.0
  interface BVI80
  vrf RED
  ipv4 address 10.200.26.169 255.255.255.224
  interface BVI81
  vrf BLUE
  ipv4 address 10.200.25.164 255.255.255.240
  interface BVI82
  vrf BLUE
  ipv4 address 10.200.25.180 255.255.255.240
  interface ServiceApp1
  description NAT_IN
  vrf NAT_IN
  ipv4 address 10.0.2.1 255.255.255.252
  service cgn CGN service-type nat44
  interface ServiceApp2
  description NAT_OUT
  vrf NAT_OUT
  ipv4 address 10.0.2.5 255.255.255.252
  service cgn CGN service-type nat44
  interface ServiceInfra1
  description ISM
  ipv4 address 10.0.3.1 255.255.255.0
  service-location 0/3/CPU0
  prefix-set PS_ROUTES
    10.200.0.8,
    10.200.5.40/29,
    10.200.1.0/29,
    10.200.5.32/29,
    10.200.0.144/28,
    10.200.106.0/28,
    10.200.106.16/28
  end-set
  prefix-set PS_BGP_BLUE_OUT
    10.200.24.192/26,
    10.200.5.40/29,
    10.200.240.0/25,
    10.200.1.0/29,
    10.200.25.128/27,
    10.200.25.0/25,
    10.200.5.32/29,
    10.200.26.0/25,
    10.200.0.144/28,
    10.200.27.128/27,
    10.200.27.0/25,
    10.200.106.0/28,
    10.200.106.128/25,
    10.200.106.16/28,
    10.200.107.128/25
  end-set
  route-policy RP_DENY_ALL
    drop
  end-policy
  route-policy RP_PASS_ALL
    pass
  end-policy
  route-policy RP_BGP_BLUE_OUT
    if destination in PS_BGP_BLUE_OUT then
      pass
    endif
  end-policy
  route-policy RP_PASS_ROUTES
    if destination in PS_ROUTES then
      pass
    endif
  end-policy
  router static
  address-family ipv4 unicast
    0.0.0.0/0 1.1.1.20
  vrf NAT_IN
    address-family ipv4 unicast
     0.0.0.0/0 ServiceApp1
  vrf RED
  vrf NAT_OUT
    address-family ipv4 unicast
     0.0.0.0/0 10.0.1.2
     10.200.24.192/26 ServiceApp2
  vrf BLUE
    address-family ipv4 unicast
     10.200.24.192/26 10.0.1.1
  router ospf
  log adjacency changes
  vrf NAT_IN
    router-id 1.1.1.1
    disable-dn-bit-check
    redistribute bgp 65500 metric 5 metric-type 2 route-policy RP_PASS_ROUTES
    area 7
     interface Bundle-Ether3
  router ospf RED
  log adjacency changes
  vrf RED
    router-id 10.200.26.169
    disable-dn-bit-check
    redistribute bgp 65500 metric 10 metric-type 2
    area 11
     interface BVI30
     interface BVI80
  router ospf BLUE
  log adjacency changes
  vrf BLUE
    router-id 10.200.25.164
    disable-dn-bit-check
    redistribute static
    redistribute bgp 65500 metric 10 metric-type 2
    area 0
     interface BVI81
     interface BVI82
    area 2
     interface BVI31
     interface BVI32
     interface BVI33
     interface BVI36
  router bgp 65500
  address-family ipv4 unicast
  address-family vpnv4 unicast
  vrf NAT_IN
    rd 65500:3
    bgp router-id 1.1.1.1
    address-family ipv4 unicast
     route-target download
  vrf RED
    rd 65500:1
    bgp router-id 10.200.253.90
    address-family ipv4 unicast
     network 10.200.25.192/26
     network 10.200.26.128/27
     network 10.200.26.192/27
     network 10.200.27.192/26
     network 10.200.104.128/27
     network 10.200.104.160/27
    neighbor 10.200.253.89
     remote-as 64512
     ebgp-multihop 5
     update-source tunnel-ip31103
     address-family ipv4 unicast
      route-policy RP_PASS_ALL in
      route-policy RP_PASS_ALL out
      soft-reconfiguration inbound
    neighbor 10.200.253.93
     remote-as 64512
     ebgp-multihop 5
     update-source tunnel-ip31104
     address-family ipv4 unicast
      route-policy RP_PASS_ALL in
      route-policy RP_PASS_ALL out
      soft-reconfiguration inbound
  vrf BLUE
    rd 65500:2
    bgp router-id 10.200.253.90
    address-family ipv4 unicast
     network 10.200.0.144/28
     network 10.200.1.0/29
     network 10.200.5.32/29
     network 10.200.5.40/29
     network 10.200.24.192/26
     network 10.200.25.0/25
     network 10.200.25.128/27
     network 10.200.26.0/25
     network 10.200.27.0/25
     network 10.200.27.128/27
     network 10.200.106.0/28
     network 10.200.106.16/28
     network 10.200.106.128/25
     network 10.200.107.128/25
     network 10.200.240.0/25
    neighbor 10.200.253.89
     remote-as 64512
     ebgp-multihop 5
     update-source tunnel-ip31101
     address-family ipv4 unicast
      route-policy RP_PASS_ALL in
      route-policy RP_BGP_BLUE_OUT out
      soft-reconfiguration inbound
    neighbor 10.200.253.93
     remote-as 64512
     ebgp-multihop 5
     update-source tunnel-ip31102
     address-family ipv4 unicast
      route-policy RP_PASS_ALL in
      route-policy RP_BGP_BLUE_OUT out
      soft-reconfiguration inbound
  l2vpn
  load-balancing flow src-dst-ip
  bridge group VLAN30
    bridge-domain VLAN30
     routed interface BVI30
  bridge group VLAN31
    bridge-domain VLAN31
     routed interface BVI31
  bridge group VLAN32
    bridge-domain VLAN32
     routed interface BVI32
  bridge group VLAN33
    bridge-domain VLAN33
     routed interface BVI33
  bridge group VLAN36
    bridge-domain VLAN36
     routed interface BVI36
  bridge group VLAN51
    bridge-domain VLAN51
     routed interface BVI51
  bridge group VLAN80
    bridge-domain VLAN80
     interface 6.80
     routed interface BVI80
  bridge group VLAN81
    bridge-domain VLAN81
     interface 6.81
     routed interface BVI81
  bridge group VLAN82
    bridge-domain VLAN82
     interface 6.82
     routed interface BVI82
  nv
  satellite 100
    type asr9000v
    ipv4 address 10.0.0.1
  satellite 200
    type asr9000v
    ipv4 address 10.0.0.2
  satellite 300
    type asr9000v
    ipv4 address 10.0.0.3
  service cgn CGN
  service-location preferred-active 0/3/CPU0
  service-type nat44 nat44
    portlimit 20000
    inside-vrf NAT_IN
     map outside-vrf NAT_OUT address-pool 10.200.24.192/26
  Thanks in advance,
  Renato

• DHCP wont lease IP Address's on 877 WLAN but does on wired connections

  We have set up an 877 with wireless in one of our remote offices and come across a problem not seen before. (Set many 877's up before).
  The dhcp configured on the router wont lease to wireless devices only to wired devices.
  Even giving the wireless devices a static IP the traffic doesnt seem to pass although the wifi connection says connected on the laptops.
  The config is as follows (pretty basic, internet access and 1 vpn tunnel).....
  Please can anyone advise if something is wrong???
  sh run
  Building configuration...
  Current configuration : 3869 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  enable password XXXXXXX
  no aaa new-model
  dot11 syslog
  dot11 ssid PPWireless
  vlan 1
  authentication open
  authentication key-management wpa
  wpa-psk ascii 0 XXXXXXX
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.40.1 192.168.40.24
  ip dhcp excluded-address 192.168.40.101 192.168.40.254
  ip dhcp pool DHCP
  network 192.168.40.0 255.255.255.0
  domain-name XXXXXXXX.local
  dns-server 172.16.1.3 194.72.9.38
  default-router 192.168.40.254
  lease 3
  ip domain name XXXXXXXXX.local
  ip name-server 172.16.1.3
  ip name-server 194.72.9.38
  ip name-server 194.72.9.34
  username admin privilege 15 password 0 XXXXXXXX
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key finance address 213.123.142.54
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to213.123.142.54
  set peer 213.123.142.54
  set transform-set ESP-3DES-SHA
  match address 101
  archive
  log config
  hidekeys
  bridge irb
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  dsl operating-mode auto
  interface ATM0.1 point-to-point
  description $ES_WAN$
  pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Dot11Radio0
  no ip address
  encryption vlan 1 mode ciphers tkip
  broadcast-key vlan 1 change 30
  ssid PPWireless
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  ip nat inside
  ip virtual-reassembly
  no cdp enable
  interface Vlan1
  no ip address
  bridge-group 1
  interface Dialer0
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap callin
  ppp chap hostname XXXXXXXXXXXXXXXXXX
  ppp chap password 0 XXXXXXXXXXXXXX
  crypto map SDM_CMAP_1
  interface BVI1
  description $ES_LAN$
  ip address 192.168.40.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip http server
  no ip http secure-server
  ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
  access-list 100 remark CCP_ACL Category=2
  access-list 100 remark SDM_ACL Category=16
  access-list 100 remark IPSec Rule
  access-list 100 deny ip 192.168.40.0 0.0.0.255 172.16.1.0 0.0.0.255
  access-list 100 permit ip 192.168.40.0 0.0.0.255 any
  access-list 101 remark SDM_ACL Category=4
  access-list 101 remark IPSec Rule
  access-list 101 permit ip 192.168.40.0 0.0.0.255 172.16.1.0 0.0.0.255
  dialer-list 1 protocol ip permit
  route-map SDM_RMAP_1 permit 1
  match ip address 100
  control-plane
  bridge 1 protocol ieee
  bridge 1 route ip
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  password finance
  login
  scheduler max-task-time 5000
  end
  Router#

  Hi, You have some mistakes on your configuration.
  1- bridge-group 1 has to be under the dot11 radio 0.1 interface and not under the dot11radio 0 interface
  2- ip nat inside has to be only under bvi 1 and not anywhere else.
  I will paste for you your modified router config.
  give it a shot.
  dot11 ssid PPWireless
  vlan 1
  authentication open
  authentication key-management wpa
  wpa-psk ascii 0 XXXXXXX
  ip dhcp excluded-address 192.168.40.1 192.168.40.24
  ip dhcp excluded-address 192.168.40.101 192.168.40.254
  ip dhcp pool DHCP
  network 192.168.40.0 255.255.255.0
  domain-name XXXXXXXX.local
  dns-server 172.16.1.3 194.72.9.38
  default-router 192.168.40.254
  lease 3
  ip domain name XXXXXXXXX.local
  ip name-server 172.16.1.3
  ip name-server 194.72.9.38
  ip name-server 194.72.9.34
  username admin privilege 15 password 0 XXXXXXXX
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key finance address 213.123.142.54
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to213.123.142.54
  set peer 213.123.142.54
  set transform-set ESP-3DES-SHA
  match address 101
  archive
  log config
  hidekeys
  bridge irb
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  dsl operating-mode auto
  interface ATM0.1 point-to-point
  description $ES_WAN$
  pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Dot11Radio0
  no ip address
  encryption vlan 1 mode ciphers tkip
  broadcast-key vlan 1 change 30
  ssid PPWireless
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Vlan1
  no ip address
  bridge-group 1
  interface Dialer0
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap callin
  ppp chap hostname XXXXXXXXXXXXXXXXXX
  ppp chap password 0 XXXXXXXXXXXXXX
  crypto map SDM_CMAP_1
  interface BVI1
  description $ES_LAN$
  ip address 192.168.40.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip http server
  no ip http secure-server
  ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
  access-list 100 remark CCP_ACL Category=2
  access-list 100 remark SDM_ACL Category=16
  access-list 100 remark IPSec Rule
  access-list 100 deny ip 192.168.40.0 0.0.0.255 172.16.1.0 0.0.0.255
  access-list 100 permit ip 192.168.40.0 0.0.0.255 any
  access-list 101 remark SDM_ACL Category=4
  access-list 101 remark IPSec Rule
  access-list 101 permit ip 192.168.40.0 0.0.0.255 172.16.1.0 0.0.0.255
  dialer-list 1 protocol ip permit
  route-map SDM_RMAP_1 permit 1
  match ip address 100
  control-plane
  bridge 1 protocol ieee
  bridge 1 route ip
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  password finance
  login

• Nic Team network speed

  Hello!
  There're two physical servers (Hyper-V is not installed) with two nic teams, each consisting of two 1Gb nics:
  To test these teams I tried to copy two files from server1 to server2:
  1) I started copying the first file and ~20 sec later started copying the second file to the same SSD (from server1 to server2)
  2) I copied ~simultaneously two different files to the two different SSDs (from server1 to server2)
  As shown in the picture 1 when I added the second copying the first one had stopped completely, although this SSD can tolerate transfer rate up to 350-380MBps.
  Both pictures show that the total file transfer speed was less than that of a single team member (1Gbps):
  0+112MBps < 1Gbps
  57.1 MBps + 56.5MBps < 1Gbps
  According to http://technet.microsoft.com/en-us/library/hh831648.aspx
  NIC Teaming, also known as load balancing and failover (LBFO), allows multiple network adapters on a computer to be placed into a team for the following purposes:
  Bandwidth aggregation
  Traffic failover to prevent connectivity loss in the event of a network component failure
  Test1 and Test2  show no bandwith aggregation... Are my tests wrong?
  Thank you in advance,
  Michael

  P.S. In a production network it means users would read data from servers using the total amount of a team's bandwidth but write data using the bandwidth of a single team member - that's not I would ever like to have in my network.
  And once again: http://technet.microsoft.com/en-us/library/hh831648.aspx
  Traffic distribution algorithms
  NIC Teaming in Windows Server 2012 supports the following traffic distribution methods:
  Hashing. This algorithm creates a hash based on components of the packet, and then it assigns packets that have that hash value to one of the available network adapters. This keeps all packets from the same TCP stream on the
  same network adapter. Hashing alone usually creates balance across the available network adapters. Some NIC Teaming solutions that are available on the market monitor the distribution of the traffic and reassign specific hash values to different
  network adapters in an attempt to better balance the traffic. The dynamic redistribution is known as smart load balancing or adaptive load balancing.
  The components that can be used as inputs to the hashing function include:
  Source and destination MAC addresses
  Source and destination IP addresses, with or without considering the MAC addresses (2-tuple hash)
  Source and destination TCP ports, usually used along with the IP addresses (4-tuple hash)
  I don't see in this explanation any reason for not creating balance when the sourses are different but the destination is the same...
  Regards,
  Michael