Static vs OSPF Traffic Failover
Hi Network Guru's,
I have routing challenge here. The scenario is we have 2 sites to be connected to the Head office. The primary routing they had used (used for how many years) is static, then through the years their business requirements is increase and they nee to back up path going to the head office. Connection they have used is DMVPN and routing from two site going to the Head office is dynamic - OSPF. Because I know usually OSPF is Primary and back up is static.
Any suggestion for the design?
Primary is Static
Back up is dynamic
Regards,
Rexie
Hello.
It's much better to run diynamic routing, as statics might be cruel sometimes.
So, if possible, I would configure dynamic.
PS: please provide your configuration per border router per link.
Similar Messages
-
Redistribute static in OSPF and EIGRP
When use "redistribute static" in OSPF OR eigrp, does it also redistribute connected networks?
When use "sh ip eigrp topology", the entries with "via RStatic" indicate a redistribution of static routes, corret?Hello,
redistribute static will redistribute all static routes found in the IP routing table. In case you want to announce the connected interfaces you have two options:
1) router ospf 10
network 192.168.1.1 0.0.0.0 area 0
for
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
2) router ospf 10
redistribute connected
The same applies for EIGRP.
Hope this helps! Please rate all posts.
Martin -
Hi All
Is it possible in IOS to have for a particular subnet:
a) Two static routes?
b) Make one static route a higher priority than the other?
c) If one static router "goes down", failover to the lower priority static route?
We have a l2tp/vpdn connection to a supplier which can be accessed via two vlans/routes. I would like to make one route the preferred one but the "route" to failover if the preferred route goes down.
Again, many thanks in advance for all responses!
Thanks
JohnHi John,
Hope the below explaination will help you...
R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2
R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
If you notice the Administrative Distance for the secondary route pointing to ISP2 is increased to 10 so that it becomes the backup link.
The above configuration with just two floating static routes partially accomplishes our requirement as it will work only in the scenario where the routers interfaces connected to the WAN link are in up/down or down/down status. But in a lot of situations we see that even though the links remain up but we are not able to reach the gateway, this usually happens when the issue is at the ISP side.
In such scenarios, IP SLAs becomes an engineer's best friend. With around six additional IOS commands we can have a more reliable automatic failover environment.
Using IP SLA the Cisco IOS gets the ability to use Internet Control Message Protocol (ICMP) pings to identify when a WAN link goes down at the remote end and hence allows the initiation of a backup connection from an alternative port. The Reliable Static Routing Backup using Object Tracking feature can ensure reliable backup in the case of several catastrophic events, such as Internet circuit failure or peer device failure.
IP SLA is configured to ping a target, such as a publicly routable IP address or a target inside the corporate network or your next-hop IP on the ISP's router. The pings are routed from the primary interface only. Following a sample configuration of IP SLA to generate icmp ping targeted at the ISP1s next-hop IP.
R1(config)# ip sla 1
R1(config)# icmp-echo 2.2.2.2 source-interface FastEthernet0/0
R1(config)# timeout 1000
R1(config)# threshold 2
R1(config)# frequency 3
R1(config)# ip sla schedule 1 life forever start-time now
The above configuration defines and starts an IP SLA probe.
The ICMP Echo probe sends an ICMP Echo packet to next-hop IP 2.2.2.2 every 3 seconds, as defined by the “frequency” parameter.
Timeout sets the amount of time (in milliseconds) for which the Cisco IOS IP SLAs operation waits for a response from its request packet.
Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation.
After defining the IP SLA operation our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:
R1(config)# track 1 ip sla 1 reachability
The above command will track the state of the IP SLA operation. If there are no ping responses from the next-hop IP the track will go down and it will come up when the ip sla operation starts receiving ping response.
To verify the track status use the use the “show track” command as shown below:
R1# show track
Track 1
IP SLA 1 reachability
Reachability is Down
1 change, last change 00:03:19
Latest operation return code: Unknown
The above output shows that the track status is down. Every IP SLAs operation maintains an operation return-code value. This return code is interpreted by the tracking process. The return code may return OK, OverThreshold, and several other return codes.
Different operations may have different return-code values, so only values common to all operation types are used. The below table shows the track states as per the IP SLA return code.
Tracking
Return Code
Track State
Reachability
OK or over threshold
(all other return codes)
Up
Down
The Last step in the IP SLA Reliable Static Route configuration is to add the “track” statement to the default routes pointing to the ISP routers as shown below:
R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
The track number keyword and argument combination specifies that the static route will be installed only if the state of the configured track object is up. Hence if the track status is down the secondary route will be used to forward all the traffic.
Please rate the helpfull posts.
Regards,
Naidu. -
What is solution of nat failover with 2 ISPs?
Now I have lease line link to 2 ISPs for internet connection. I separate packets of users by accesslist such as www go to ISP1 and mail or other protocol go to ISP2 . Let's say link go to ISP1 down I need www traffics failover to ISP2 and vice versa.
Problem is acl on nat statement?
If you config about this.
access-l 101 permit tcp any any www -->www traffic to ISP1
access-l 101 permit tcp any any mail --> back up for mail packet to ISP2 down
access-l 102 permit tcp any any mail -->mail packet to ISP2
access-l 102 permit tcp any any www --> back up for www traffic go to ISP2
ip nat inside source list 101 interface s0 overload
ip nat inside source list 102 interface s1 overload
In this case is links of ISP1 and ISP2 are UP.
when you apply this acl on nat statement then nat will process each statement in order( if I incorrect please correct me) so mail traffics will match in this acl and then nat with ip of ISP1 only.
please advice solution about this
TIAHi,
If you have two serial links connecting to two diff service provider , then you can try this .
access-l 101 permit tcp any any www
access-l 102 permit tcp any any mail
route-map isp1 permit 10
match ip address 101
set interface s0
route-map isp2 permit 10
match ip address 102
set interface s1
ip nat inside route-map isp1 interface s0 overload
ip nat inside source route-map isp2 interface s1 overload
ip nat inside source list 103 interface s0 overload
ip nat inside source list 104 interface s1 overload
ip route 0.0.0.0 0.0.0.0 s0
ip route 0.0.0.0 0.0.0.0 s1 100
In case if any of the link fails , automatically the other traffic would prefer the other serial.
I have not tried the config , just worked out the config on logic .pls go through and try if possible
pls see the note2 column
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#related
Hope it helps
regards
vanesh k -
Static NAT and multiple WAN (DSL) ports
Hi,
we have a hardware router with 3 ADSL/SDSL lines. The SDSL has a range of public IP addresses.
We assigned these public IP adresses as DMZ to the hardware router, and added some of the IP's as secondary IP addresses on the BM's public interface. Filters have been disabled for testing, and we could ping the secondary IP's from the internet.
In the next step, we set up a static NAT to a server in the private LAN, which should be reached from travelling users. Pinging the natted address from the internet reached the server (seen with etherreal), but BM did not set the public IP as the source of the ping reply.
For testing, we set a static route on the BM to the PC on the internet, using the DMZ as default gateway, which was used for testing, and that worked fine.
Is there a chance to get the reply from the natted Server back to the DMZ, where the request came from? Setting static routes isnt possible, because users come with changing IP addresses.
DetlefIn article <[email protected]>, Pinkel wrote:
> Is there a chance to get the reply from the natted Server back to the
> DMZ, where the request came from? Setting static routes isnt possible,
> because users come with changing IP addresses.
>
This is a routing issue, with a possible workaround.
When the BMgr server gets a packet it needs to route, it's going to look
in its routing tables to know which interface to send it from, and which
IP address will be the next hop. Traffic coming inbound will naturally
leave the private interface and route normally to the internal address.
Traffic going back to the internet is another matter.
Traffic from the internet is, naturally, going to have a public IP
address that will not be in the BMgr server's routing tables, unless you
put in a static route. If the destination address for a packet is not
in the BMgr routing table, it will send the packet to the only choice it
has: the default route. Thus, all outbound non-static-nat'd traffic
will end up going out the default route.
I have used, on occasion, a workaround that forces traffic coming in
from one link to go back out that link. If you think of how BMgr
(NetWare) is routing replies to these packets, you realize that the only
way it is going to go back out link B (if link A is the default) is if
the packet actually comes from the address for link B. The way I've
made this happen is to enable dynamic NAT on the link B address. (For
instance, Cisco router with link B, totally different subnet - due to
isp changeover - from link A. Link A was the default. Enabled NAT with
overload on link B LAN address, and BMgr then saw all packets coming in
from that router as local packets simply coming from the link B LAN
address. So it replied to link B. However, all outbound (non-reply)
traffic to the internet still went out link A. I've also configured a
second internet link for VPN only usage, but that was no more than a
static route entry.)
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
Lesson BGP & OSPF path selection in VSS routing environment
Hi, I would like a lesson on how traffic is passed in the following environment:
One 3945 router with interfaces connected to a pair of 4500X switches configured as VSS pair. One link into each of the 4500 running as routed interfaces using separate IP subnets meaning there are two equal cost paths between the router and the 4500X.
We are running a single OSPF area and iBGP between the devices.
I would like to find out, in normal circumstances where both equal cost links are operating normally, how the 4500 selects the path to send a packet to the router. We would be trying to avoid traffic passing through the VSL but want to know if the system is smart enough to do that.
Is there somebody out there who can tell me if the VSS process will select the path directly to the router or if it cannot be guaranteed to do so.
I also would like to get opinions on whether it is best to create two iBGP neighbour relationships on the link addresses or one relationship between the loopback addresses.
Thanks
LPHi,
The OSPF traffic would not pass through the VSL link. The path would directly go from each 4500 to the 3945 (Equal cost load balancing). I think, the 3900 series supports Etherchannel, if this is the case you can also create a L-3 Portchannel between the VSS and 3945 router. This way you use one /30 instead of 2 and you still have redundancy. For BGP, I would do one peering with Loopbacks.
HTH -
Another TCP Reassembly Queue Issue - Help Understanding Sh IP Traffic Results
I recently started seeing the TCP Out-of-Order blurbs on my 1921/k9 routers logs. See following....
*Oct 28 06:41:32.793: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1475532578 1500 bytes is out-of-order; expected seq:2819411594. Reason: TCP reassembly queue overflow - session 192.168.10.11:58675 to 23.77.232.34:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
*Oct 28 15:09:21.539: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:79628295 1488 bytes is out-of-order; expected seq:79600783. Reason: TCP reassembly queue overflow - session 192.168.10.25:55690 to 206.19.48.10:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
*Oct 28 15:16:44.803: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1210068379 1500 bytes is out-of-order; expected seq:3084764253. Reason: TCP reassembly queue overflow - session 192.168.10.13:50591 to 107.167.193.162:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
I temporarily disabled TCP Queue length logs (setting to 0) after having changed to several options including 128 and 1024 did not help. The output of Sh IP Traffic....
"Router#sh ip traffic
IP statistics:
Rcvd: 411466 total, 163659 local destination
0 format errors, 0 checksum errors, 2 bad hop count
0 unknown protocol, 1 not a gateway
0 security failures, 0 bad options, 0 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 fragments, 0 couldn't fragment
Bcast: 162854 received, 415 sent
Mcast: 0 received, 0 sent
Sent: 5560 generated, 18211176 forwarded
Drop: 22 encapsulation failed, 0 unresolved, 0 no adjacency
2383 no route, 0 unicast RPF, 0 forced drop
0 options denied
Drop: 0 packets with source IP address zero
Drop: 0 packets with internal loop back IP address
0 physical broadcast
ICMP statistics:
Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 0 unreachable
11 echo, 0 echo reply, 0 mask requests, 0 mask replies, 0 quench
0 parameter, 0 timestamp, 0 timestamp replies, 0 info request, 0 other
0 irdp solicitations, 0 irdp advertisements
0 time exceeded, 0 info replies
Sent: 2028 redirects, 2809 unreachable, 35 echo, 11 echo reply
0 mask requests, 0 mask replies, 0 quench, 0 timestamp, 0 timestamp replies
0 info reply, 2 time exceeded, 0 parameter problem
0 irdp solicitations, 0 irdp advertisements
BGP statistics:
Rcvd: 0 total, 0 opens, 0 notifications, 0 updates
0 keepalives, 0 route-refresh, 0 unrecognized
Sent: 0 total, 0 opens, 0 notifications, 0 updates
0 keepalives, 0 route-refresh
PIMv2 statistics: Sent/Received
Total: 0/0, 0 checksum errors, 0 format errors
Registers: 0/0 (0 non-rp, 0 non-sm-group), Register Stops: 0/0, Hellos: 0/0
Join/Prunes: 0/0, Asserts: 0/0, grafts: 0/0
Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0
Queue drops: 0
State-Refresh: 0/0
IGMP statistics: Sent/Received
Total: 0/0, Format errors: 0/0, Checksum errors: 0/0
Host Queries: 0/0, Host Reports: 0/0, Host Leaves: 0/0
DVMRP: 0/0, PIM: 0/0
Queue drops: 0
TCP statistics:
Rcvd: 39 total, 0 checksum errors, 37 no port
Sent: 2 total
EIGRP-IPv4 statistics:
Rcvd: 0 total
Sent: 0 total
UDP statistics:
Rcvd: 163487 total, 0 checksum errors, 162603 no port
Sent: 695 total, 0 forwarded broadcasts
OSPF statistics:
Last clearing of OSPF traffic counters never
Rcvd: 0 total, 0 checksum errors
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acks
Sent: 0 total
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acks
ARP statistics:
Rcvd: 3651888 requests, 72 replies, 0 reverse, 0 other
Sent: 159 requests, 28560 replies (225 proxy), 0 reverse
Drop due to input queue full: 0"
Would someone be so kind as to help me understand a little about my IP Traffic and what might be going wrong? Thanks for any input. --TimWith Queue Length set to 1024:
Router>show ip inspect statistics
Interfaces configured for inspection 4294967294
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
TCP reassembly statistics
received 0 packets out-of-order; dropped 0
peak memory usage 0 KB; current usage: 0 KB
peak queue length 0 -
Nexus 7010 OSPF Equal Cost Paths
Hello,
I currently have two physical links connecting one data center to another. These are both 10Gb links and I have manually set the cost to the primary link to '1' and the secondary link to '10'. My question is, if I set the secondary link to '1' they would have equal cost routes. What is the selection process at this point? Will equal cost load balancing automatically kick in and use both links?
Thank you,
ScottScott
Haven't used Nexus switches but generally yes it should do depending on the routing protocol ie. statics, EIGRP, OSPF etc. will use equal cost paths if they are in the routing table.
BGP is different in that without further configuration it picks just one path so there is only one entry in the routing table.
By default it will use per destination load sharing and the default on Nexus is destination IP address and port number to choose which link to use.
"sh ip load-sharing"
will show you the current method it is using.
Jon -
Pix/Asa OSPF passive interface
Hi.
I am going to have an OSPF process for two internal interfaces. But I also have one external interface where I do not want any OSPF traffic going out. I have not so far found any OSPF PASSIVE INTERFACE type of commands om PIX/ASA. Is there any one out there who knows if there is one command like that or how one can stop OSPF packet from going out. I presume that an outgoing access-list will not stop this traffic.
Regards BjornHi,
Don't define external interface as partecipating to OSPF process.
That is you have to define the two interface partecipating to OSPF process:
view: "Enabling OSPF ". Here is the link:http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ip.html#wp1041629.
I hope this helps.
Best regards.
Massimiliano. -
Is it possible to have this setup on RV016?
WAN1: VOIP traffic (either by port or IP) + failover for WAN 2
WAN2: all other traffic + failover for WAN1
WAN3: failover for WAN1 & WAN2 with connection on demand
Thanks.Has anyone else figured this out? I'm getting it on every machine I upgrade and I have about 18 more to go and would like to fix it.
These are brand new iMac's shipped with Mountain Lion. I turn them on and the third screen asks if you want to transfer items from a backup or another Mac. I choose another Mac. Then use Migration Assistant on the users old machine (running Snow Leopard 10.6.8) and then let it transfer all of their files.
At just about the end of the transfer the new Mac pops up this error and waits until an action is taken. I've tried every password it could have been on the previous users machine to no avial. The only option appears to be hitting cancel and movi ng on but I'd like to know what is breaking when this happens becase the machines exhibit a strange spinning wheel hang when logging in afterwards?
Here's a screen shot of the new iMac and the problem:
Thanks! -
Hi all,
I have configured VTI tunnel interfaces (tunnel mode ipsec ipv4) and OSPF on that interfaces.
VTI is encrypting all data traffic. But what about OSPF traffic?
Is OSPF traffic encrypted also or I need to configure OSPF authentication?
ThanksOSPF exchange is already encrypted inside of the tunnel, so u don't have to use ospf-authentication. OSPF uses tunnel IP addresses for communications, and traffic flow between those two addresses is possible only throught the secure tunnel.
-
Cisco Nexus 5ks EIGRP and Policy routing question.
We just got installed a METRO LINK between our primary and secondary data center (Site-A <> Site-B) I would like to be able to route data replication between these two sites over that link, instead of going over MPLS. We run EIGRP internally and BGP to the MPLS (typical scenario)
At first I thought about doing ‘Policy Based Routing’ with IP SLA to be able to track and route traffic coming from the 10.10.10.0/24 bound to 10.11.11.0/24 and track link state with IP SLA in case the metro link would go down; data replication would continue to flow over MPLS.
In researching this, I found out that Cisco NX-5ks and 6Ks don’t support IP SLA and there is no telling if they will support it any time in future releases either.
I haven’t turned on routing (EIGRP) between the two 5ks over the metro link yet.
Also, I don’t want to statically route replication traffic over the link unless I have to. It would have to be a manual change in case I need to re-route it over the MPLS.
See attached drawing
Any help would be greatly appreciated.
Marramix01can you calculate the metrics of the two different links for EIGRP?
Once you have that you would know which one EIGRP would say is the best path. Then if the MPLS link is not the primary path then you can use Offset-list to force the traffic to and from subnets and still have failover with EIGRP.
I hope I understood your problem correctly. -
ISM with NAT44 - Need help with configuration
Hello everyone,
I'm trying to set up NAT44 in the following scenario below and I'm having a hard time figuring out how to redirect the traffic. As you can see the big problem is that I have one single interface that connects to the internal network (10.0.0.0/8) and also to the tunnel destinations all in the same VRF. Can you guys give me a hand? The trafiic comes from network network 10.0.0.0/8 enters interface bundle-ether 2 (Now it needs to be translated), once it is translated, now it needs to reach the destination known via GRE tunnel.
Configurations
vrf NAT_IN
address-family ipv4 unicast
vrf BLUE
address-family ipv4 unicast
hw-module service cgn location 0/3/CPU0
interface Bundle-Ether2
description UPLINK TO METRO ETHERNET
interface Bundle-Ether2.2 l2transport
encapsulation dot1q 2
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet200/0/0/43
description LINK TO METRO ETHERNET
bundle id 2 mode active
interface GigabitEthernet300/0/0/43
description LINK TO METRO ETHERNET
bundle id 2 mode active
interface BVI2
description METRO
vrf BLUE
ipv4 address 100.0.0.10/24
interface tunnel-ip 101
description GRE_TUNNEL
vrf BLUE
ipv4 address 1.1.1.1/32
tunnel mode gre ipv4
tunnel source interface bvi 2
tunnel destination 200.0.0.1
interface BVI 100
vrf BLUE
ipv4 address [GATEWAY_100] [MASK_100]
interface BVI 200
vrf BLUE
ipv4 address [GATEWAY_200] [MASK_200]
interface BVI 300
vrf BLUE
ipv4 address [GATEWAY_300] [MASK_300]
interface ServiceApp1
vrf NAT_IN
ipv4 address 10.0.2.1 255.255.255.252
service cgn CGN service-type nat44
interface ServiceApp2
vrf BLUE
ipv4 address 10.0.2.2 255.255.255.252
service cgn CGN service-type nat44
interface ServiceInfra1
ipv4 address 10.0.3.1 255.255.255.0
service-location 0/3/CPU0
router static
address-family ipv4 unicast
vrf NAT_IN
address-family ipv4 unicast
0.0.0.0/0 ServiceApp1
10.0.0.0/8 vrf BLUE bvI 2 <NEXT HOP>
vrf BLUE
address-family ipv4 unicast
172.16.0.0/24 ServiceApp2
router ospf METRO
vrf BLUE
router-id [ROUTER_ID]
redistribute bgp 65500 metric 100
area 0
interface bvi 2
router ospf BLUE
vrf BLUE
router-id [ROUTER ID]
redistribute bgp 65500 metric 100
area 10
interface BVI100
interface BVI200
interface BVI200
router bgp 65500
address-family ipv4 unicast
address-family vpnv4 unicast
vrf BLUE
rd 65500:2
address-family ipv4 unicast
redistribute static
redistribute ospf BLUE
neighbor 1.1.1.2
remote-as 64512
ebgp-multihop 5
address-family ipv4 unicast
route-policy PASS in
route-policy PASS out
service cgn CGN
service-location preferred-active 0/3/CPU0
service-type nat44 nat44
portlimit 20000
inside-vrf NAT_IN
map outside-vrf BLUE address-pool 172.16.0.0/24
Thanks in advance,
RenatoHi Somnath,
Let's see if you can help with this new scenario. I want to extend this NAT configuration to a new site (BO1), but instead of using this entire setup with ASR9K, etc, I just want to use ASR9000v module and have this AS9K + ISM as the host. The first problem I see in this scenario is that I have the same 10.0.0.0/8 network in both sites, network which will access the same resources as the devices in the 10.0.0.0/8 in the main site.
1) Do you think if I create a new inside VRF [NAT_IN1] would address this issue?
2) Can I use the same outside VRF?
Here is the configurations.
!! IOS XR Configuration 4.3.1
vrf NAT_IN
address-family ipv4 unicast
import route-target
65500:2
65500:3
export route-target
65500:3
vrf RED
address-family ipv4 unicast
import route-target
65500:1
export route-target
65500:1
vrf NAT_OUT
address-family ipv4 unicast
import route-target
65500:4
export route-target
65500:4
vrf SATELLITE
vrf BLUE
address-family ipv4 unicast
import route-target
65500:2
export route-target
65500:2
hw-module service cgn location 0/3/CPU0
ipv4 access-list ABF
5 permit ospf any any
10 permit ipv4 any 10.200.0.0 0.0.255.255 nexthop1 vrf NAT_IN ipv4 10.0.2.2
20 permit icmp any any
interface Bundle-Ether3
description Uplink (BE3 - VRF NAT_IN) - VLAN 20
vrf NAT_IN
ipv4 address 1.1.1.1 255.255.255.0
ipv4 access-group ABF ingress
interface Bundle-Ether22
description LOOPBACK CABLE NAT_OUT
vrf NAT_OUT
ipv4 address 10.0.1.1 255.255.255.0
interface Bundle-Ether23
description LOOPBACK CABLE BLUE
vrf BLUE
ipv4 address 10.0.1.2 255.255.255.0
interface 6
description Uplink (BE6 - Global) - VLAN 20,51,80-82
interface 6.2
ipv4 address 1.1.1.2 255.255.255.0
encapsulation dot1q 2
interface 6.51 l2transport
description EFP - BE6 - VLAN 51
encapsulation dot1q 51
rewrite ingress tag pop 1 symmetric
interface 6.80 l2transport
description EFP - BE6 - VLAN 80
encapsulation dot1q 80
rewrite ingress tag pop 1 symmetric
interface 6.81 l2transport
description EFP - BE6 - VLAN 81
encapsulation dot1q 81
rewrite ingress tag pop 1 symmetric
interface 6.82 l2transport
description EFP - BE6 - VLAN 82
encapsulation dot1q 82
rewrite ingress tag pop 1 symmetric
interface Bundle-Ether100
description Bundle to Satellite 100
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 100
remote-ports GigabitEthernet 0/0/0-43
interface Bundle-Ether200
description Bundle to Satellite 200
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 200
remote-ports GigabitEthernet 0/0/0-43
interface Bundle-Ether300
description Bundle to Satellite 300
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 300
remote-ports GigabitEthernet 0/0/0-35
interface Loopback0
description MGMT SATELLITE
vrf SATELLITE
ipv4 address 10.0.0.254 255.255.255.0
interface tunnel-ip31101
description BLUE-TUNNEL01
vrf BLUE
ipv4 address 10.200.253.90 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 13.13.13.13
interface tunnel-ip31102
description BLUE-TUNNEL02
vrf BLUE
ipv4 address 10.200.253.94 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 14.14.14.14
interface tunnel-ip31103
description RED-TUNNEL03
vrf RED
ipv4 address 10.200.253.90 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 13.13.13.13
interface tunnel-ip31104
description RED-TUNNEL04
vrf RED
ipv4 address 10.200.253.94 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 14.14.14.14
interface TenGigE0/0/0/0
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/0/0/1
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/0/0/2
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/0/0/3
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/0/0/4
description LINK TO SATELLITE 300
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 300
remote-ports GigabitEthernet 0/0/36-43
interface TenGigE0/0/0/5
description LINK TO SATELLITE 300
bundle id 300 mode on
interface TenGigE0/0/0/16
description UPLINK (BE6 - GLOBAL) - VLAN 20,51,80-82
bundle id 6 mode active
interface TenGigE0/1/0/16
description UPLINK (BE6 - GLOBAL) - VLAN 20,51,80-82
bundle id 6 mode active
interface TenGigE0/0/0/17
description UPLINK (BE3 - VRF NAT_IN) - VLAN 20
bundle id 3 mode active
interface TenGigE0/1/0/17
description UPLINK (BE3 - VRF NAT_IN) - VLAN 20
bundle id 3 mode active
interface TenGigE0/0/0/22
description LOOPBACK CABLE TE0/1/0/22
bundle id 22 mode on
interface TenGigE0/0/0/23
description LOOPBACK CABLE TE0/1/0/23
bundle id 22 mode on
interface TenGigE0/1/0/0
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/1/0/1
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/1/0/2
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/1/0/3
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/1/0/4
description LINK TO SATELLITE 300
bundle id 300 mode on
interface TenGigE0/1/0/5
description LINK TO SATELLITE 300
bundle id 300 mode on
interface TenGigE0/1/0/22
description LOOPBACK CABLE TE0/0/0/22
bundle id 23 mode on
interface TenGigE0/1/0/23
description LOOPBACK CABLE TE0/0/0/23
bundle id 23 mode on
interface BVI30
vrf RED
ipv4 address 10.200.25.193 255.255.255.192
interface BVI31
vrf BLUE
ipv4 address 10.200.1.1 255.255.255.248
interface BVI32
vrf BLUE
ipv4 address 10.200.25.129 255.255.255.224
interface BVI33
vrf BLUE
ipv4 address 10.200.25.1 255.255.255.128
interface BVI36
vrf BLUE
ipv4 address 10.200.237.145 255.255.255.240
interface BVI51
vrf RED
ipv4 address 192.168.7.12 255.255.255.0
interface BVI80
vrf RED
ipv4 address 10.200.26.169 255.255.255.224
interface BVI81
vrf BLUE
ipv4 address 10.200.25.164 255.255.255.240
interface BVI82
vrf BLUE
ipv4 address 10.200.25.180 255.255.255.240
interface ServiceApp1
description NAT_IN
vrf NAT_IN
ipv4 address 10.0.2.1 255.255.255.252
service cgn CGN service-type nat44
interface ServiceApp2
description NAT_OUT
vrf NAT_OUT
ipv4 address 10.0.2.5 255.255.255.252
service cgn CGN service-type nat44
interface ServiceInfra1
description ISM
ipv4 address 10.0.3.1 255.255.255.0
service-location 0/3/CPU0
prefix-set PS_ROUTES
10.200.0.8,
10.200.5.40/29,
10.200.1.0/29,
10.200.5.32/29,
10.200.0.144/28,
10.200.106.0/28,
10.200.106.16/28
end-set
prefix-set PS_BGP_BLUE_OUT
10.200.24.192/26,
10.200.5.40/29,
10.200.240.0/25,
10.200.1.0/29,
10.200.25.128/27,
10.200.25.0/25,
10.200.5.32/29,
10.200.26.0/25,
10.200.0.144/28,
10.200.27.128/27,
10.200.27.0/25,
10.200.106.0/28,
10.200.106.128/25,
10.200.106.16/28,
10.200.107.128/25
end-set
route-policy RP_DENY_ALL
drop
end-policy
route-policy RP_PASS_ALL
pass
end-policy
route-policy RP_BGP_BLUE_OUT
if destination in PS_BGP_BLUE_OUT then
pass
endif
end-policy
route-policy RP_PASS_ROUTES
if destination in PS_ROUTES then
pass
endif
end-policy
router static
address-family ipv4 unicast
0.0.0.0/0 1.1.1.20
vrf NAT_IN
address-family ipv4 unicast
0.0.0.0/0 ServiceApp1
vrf RED
vrf NAT_OUT
address-family ipv4 unicast
0.0.0.0/0 10.0.1.2
10.200.24.192/26 ServiceApp2
vrf BLUE
address-family ipv4 unicast
10.200.24.192/26 10.0.1.1
router ospf
log adjacency changes
vrf NAT_IN
router-id 1.1.1.1
disable-dn-bit-check
redistribute bgp 65500 metric 5 metric-type 2 route-policy RP_PASS_ROUTES
area 7
interface Bundle-Ether3
router ospf RED
log adjacency changes
vrf RED
router-id 10.200.26.169
disable-dn-bit-check
redistribute bgp 65500 metric 10 metric-type 2
area 11
interface BVI30
interface BVI80
router ospf BLUE
log adjacency changes
vrf BLUE
router-id 10.200.25.164
disable-dn-bit-check
redistribute static
redistribute bgp 65500 metric 10 metric-type 2
area 0
interface BVI81
interface BVI82
area 2
interface BVI31
interface BVI32
interface BVI33
interface BVI36
router bgp 65500
address-family ipv4 unicast
address-family vpnv4 unicast
vrf NAT_IN
rd 65500:3
bgp router-id 1.1.1.1
address-family ipv4 unicast
route-target download
vrf RED
rd 65500:1
bgp router-id 10.200.253.90
address-family ipv4 unicast
network 10.200.25.192/26
network 10.200.26.128/27
network 10.200.26.192/27
network 10.200.27.192/26
network 10.200.104.128/27
network 10.200.104.160/27
neighbor 10.200.253.89
remote-as 64512
ebgp-multihop 5
update-source tunnel-ip31103
address-family ipv4 unicast
route-policy RP_PASS_ALL in
route-policy RP_PASS_ALL out
soft-reconfiguration inbound
neighbor 10.200.253.93
remote-as 64512
ebgp-multihop 5
update-source tunnel-ip31104
address-family ipv4 unicast
route-policy RP_PASS_ALL in
route-policy RP_PASS_ALL out
soft-reconfiguration inbound
vrf BLUE
rd 65500:2
bgp router-id 10.200.253.90
address-family ipv4 unicast
network 10.200.0.144/28
network 10.200.1.0/29
network 10.200.5.32/29
network 10.200.5.40/29
network 10.200.24.192/26
network 10.200.25.0/25
network 10.200.25.128/27
network 10.200.26.0/25
network 10.200.27.0/25
network 10.200.27.128/27
network 10.200.106.0/28
network 10.200.106.16/28
network 10.200.106.128/25
network 10.200.107.128/25
network 10.200.240.0/25
neighbor 10.200.253.89
remote-as 64512
ebgp-multihop 5
update-source tunnel-ip31101
address-family ipv4 unicast
route-policy RP_PASS_ALL in
route-policy RP_BGP_BLUE_OUT out
soft-reconfiguration inbound
neighbor 10.200.253.93
remote-as 64512
ebgp-multihop 5
update-source tunnel-ip31102
address-family ipv4 unicast
route-policy RP_PASS_ALL in
route-policy RP_BGP_BLUE_OUT out
soft-reconfiguration inbound
l2vpn
load-balancing flow src-dst-ip
bridge group VLAN30
bridge-domain VLAN30
routed interface BVI30
bridge group VLAN31
bridge-domain VLAN31
routed interface BVI31
bridge group VLAN32
bridge-domain VLAN32
routed interface BVI32
bridge group VLAN33
bridge-domain VLAN33
routed interface BVI33
bridge group VLAN36
bridge-domain VLAN36
routed interface BVI36
bridge group VLAN51
bridge-domain VLAN51
routed interface BVI51
bridge group VLAN80
bridge-domain VLAN80
interface 6.80
routed interface BVI80
bridge group VLAN81
bridge-domain VLAN81
interface 6.81
routed interface BVI81
bridge group VLAN82
bridge-domain VLAN82
interface 6.82
routed interface BVI82
nv
satellite 100
type asr9000v
ipv4 address 10.0.0.1
satellite 200
type asr9000v
ipv4 address 10.0.0.2
satellite 300
type asr9000v
ipv4 address 10.0.0.3
service cgn CGN
service-location preferred-active 0/3/CPU0
service-type nat44 nat44
portlimit 20000
inside-vrf NAT_IN
map outside-vrf NAT_OUT address-pool 10.200.24.192/26
Thanks in advance,
Renato -
DHCP wont lease IP Address's on 877 WLAN but does on wired connections
We have set up an 877 with wireless in one of our remote offices and come across a problem not seen before. (Set many 877's up before).
The dhcp configured on the router wont lease to wireless devices only to wired devices.
Even giving the wireless devices a static IP the traffic doesnt seem to pass although the wifi connection says connected on the laptops.
The config is as follows (pretty basic, internet access and 1 vpn tunnel).....
Please can anyone advise if something is wrong???
sh run
Building configuration...
Current configuration : 3869 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
enable password XXXXXXX
no aaa new-model
dot11 syslog
dot11 ssid PPWireless
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0 XXXXXXX
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.40.1 192.168.40.24
ip dhcp excluded-address 192.168.40.101 192.168.40.254
ip dhcp pool DHCP
network 192.168.40.0 255.255.255.0
domain-name XXXXXXXX.local
dns-server 172.16.1.3 194.72.9.38
default-router 192.168.40.254
lease 3
ip domain name XXXXXXXXX.local
ip name-server 172.16.1.3
ip name-server 194.72.9.38
ip name-server 194.72.9.34
username admin privilege 15 password 0 XXXXXXXX
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key finance address 213.123.142.54
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to213.123.142.54
set peer 213.123.142.54
set transform-set ESP-3DES-SHA
match address 101
archive
log config
hidekeys
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers tkip
broadcast-key vlan 1 change 30
ssid PPWireless
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1
encapsulation dot1Q 1 native
ip nat inside
ip virtual-reassembly
no cdp enable
interface Vlan1
no ip address
bridge-group 1
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXX
ppp chap password 0 XXXXXXXXXXXXXX
crypto map SDM_CMAP_1
interface BVI1
description $ES_LAN$
ip address 192.168.40.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
access-list 100 remark CCP_ACL Category=2
access-list 100 remark SDM_ACL Category=16
access-list 100 remark IPSec Rule
access-list 100 deny ip 192.168.40.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.40.0 0.0.0.255 172.16.1.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 100
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
no modem enable
line aux 0
line vty 0 4
password finance
login
scheduler max-task-time 5000
end
Router#Hi, You have some mistakes on your configuration.
1- bridge-group 1 has to be under the dot11 radio 0.1 interface and not under the dot11radio 0 interface
2- ip nat inside has to be only under bvi 1 and not anywhere else.
I will paste for you your modified router config.
give it a shot.
dot11 ssid PPWireless
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0 XXXXXXX
ip dhcp excluded-address 192.168.40.1 192.168.40.24
ip dhcp excluded-address 192.168.40.101 192.168.40.254
ip dhcp pool DHCP
network 192.168.40.0 255.255.255.0
domain-name XXXXXXXX.local
dns-server 172.16.1.3 194.72.9.38
default-router 192.168.40.254
lease 3
ip domain name XXXXXXXXX.local
ip name-server 172.16.1.3
ip name-server 194.72.9.38
ip name-server 194.72.9.34
username admin privilege 15 password 0 XXXXXXXX
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key finance address 213.123.142.54
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to213.123.142.54
set peer 213.123.142.54
set transform-set ESP-3DES-SHA
match address 101
archive
log config
hidekeys
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers tkip
broadcast-key vlan 1 change 30
ssid PPWireless
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
no ip address
bridge-group 1
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXX
ppp chap password 0 XXXXXXXXXXXXXX
crypto map SDM_CMAP_1
interface BVI1
description $ES_LAN$
ip address 192.168.40.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
access-list 100 remark CCP_ACL Category=2
access-list 100 remark SDM_ACL Category=16
access-list 100 remark IPSec Rule
access-list 100 deny ip 192.168.40.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.40.0 0.0.0.255 172.16.1.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 100
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
no modem enable
line aux 0
line vty 0 4
password finance
login -
Hello!
There're two physical servers (Hyper-V is not installed) with two nic teams, each consisting of two 1Gb nics:
To test these teams I tried to copy two files from server1 to server2:
1) I started copying the first file and ~20 sec later started copying the second file to the same SSD (from server1 to server2)
2) I copied ~simultaneously two different files to the two different SSDs (from server1 to server2)
As shown in the picture 1 when I added the second copying the first one had stopped completely, although this SSD can tolerate transfer rate up to 350-380MBps.
Both pictures show that the total file transfer speed was less than that of a single team member (1Gbps):
0+112MBps < 1Gbps
57.1 MBps + 56.5MBps < 1Gbps
According to http://technet.microsoft.com/en-us/library/hh831648.aspx
NIC Teaming, also known as load balancing and failover (LBFO), allows multiple network adapters on a computer to be placed into a team for the following purposes:
Bandwidth aggregation
Traffic failover to prevent connectivity loss in the event of a network component failure
Test1 and Test2 show no bandwith aggregation... Are my tests wrong?
Thank you in advance,
MichaelP.S. In a production network it means users would read data from servers using the total amount of a team's bandwidth but write data using the bandwidth of a single team member - that's not I would ever like to have in my network.
And once again: http://technet.microsoft.com/en-us/library/hh831648.aspx
Traffic distribution algorithms
NIC Teaming in Windows Server 2012 supports the following traffic distribution methods:
Hashing. This algorithm creates a hash based on components of the packet, and then it assigns packets that have that hash value to one of the available network adapters. This keeps all packets from the same TCP stream on the
same network adapter. Hashing alone usually creates balance across the available network adapters. Some NIC Teaming solutions that are available on the market monitor the distribution of the traffic and reassign specific hash values to different
network adapters in an attempt to better balance the traffic. The dynamic redistribution is known as smart load balancing or adaptive load balancing.
The components that can be used as inputs to the hashing function include:
Source and destination MAC addresses
Source and destination IP addresses, with or without considering the MAC addresses (2-tuple hash)
Source and destination TCP ports, usually used along with the IP addresses (4-tuple hash)
I don't see in this explanation any reason for not creating balance when the sourses are different but the destination is the same...
Regards,
Michael
Maybe you are looking for
-
Bookmarks not working in iBooks author
I am unable to create a bookmark in iBooks author. The "+"-sign in the bookmarks pane of the inspector is faded/unclickable when I select an element on one of the pages (figure, text box, image etc.). I have been reading up on solutions and workaroun
-
Synchronous communication of JDBC adapter with BPM
Hello XI-Experts, Could you please give me example where BPM is having a Synchronous communication with JDBC adapter?? plz do help. Thanks & Regards, Vanita
-
FB60 Line item User exit/BADI/BTE
Hi Guys, I need a user exit/ BADI/BTE to change the Line item in FB60 transaction. Please let me know ifyou know any enhancment on this. Thanks Regards, Ganesh
-
Can an actionListener function be called inside a constructor?
Can an actionListener function be called inside a constructor?? class MainBean{ public MainBean(){ Can the linkDescription() function be called here?? Will there be any Parameters.?? public void linkDescription(ActionEvent e ) // actionListener Code
-
Avoiding miscalculation of calculated item in query mode
Hi: Imagine an invoice data entry system. 2 Blocks... the master (orders) and the detail (order_products). In the master you have the customer info and all that usual data... the details are the lines of products that this customer bought (quantity,