HSRP on 6509 [7:15570]
Hi All, I have a problem here with HSRP on 6509. The Cisco 6509 has 2 MSFC cards. As I understand correctly, only the first card (active one) does the routing. The second card (standby one) should do NOTHING, unless the first card goes down (please correct me if I am wrong). In my case, things are different. It seems both cards do the routing. When I do a trace on a destination, the result flips flop between the actually IP addresses of the vlan on both cards. Let's say I have VLAN 100 with: Virtual IP address = 10.100.1.100 255.255.0.0 IP address on first card (active) = 10.100.1.1 255.255.0.0 IP address on second card (standbly) = 10.100.1.2 255.255.0.0 When I do the trace on a destination that pass through this 6509, some path includes 10.100.1.1, while other includes 10.100.1.2 Is there some way I can check if the HSRP is configured correctly on my 6509? Thanks in advance! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15570&t=15570 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: HSRP on 6509 [7:15570]
Yes, I do run EIGRP. Will EIGRP cause the problem? ""Jim Yam"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > What routing protocol are you running? EIGRP will do load sharing between > two interfaces. > > JY > > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi All, > > > > I have a problem here with HSRP on 6509. The Cisco 6509 has 2 MSFC cards. > > As I understand correctly, only the first card (active one) does the > > routing. The second card (standby one) should do NOTHING, unless the > first > > card goes down (please correct me if I am wrong). In my case, things are > > different. It seems both cards do the routing. When I do a trace on a > > destination, the result flips flop between the actually IP addresses of > the > > vlan on both cards. Let's say I have VLAN 100 with: > > > > Virtual IP address = 10.100.1.100 255.255.0.0 > > IP address on first card (active) = 10.100.1.1 255.255.0.0 > > IP address on second card (standbly) = 10.100.1.2 255.255.0.0 > > > > When I do the trace on a destination that pass through this 6509, some > path > > includes 10.100.1.1, while other includes 10.100.1.2 > > > > Is there some way I can check if the HSRP is configured correctly on my > > 6509? Thanks in advance! > > > > Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15576&t=15570 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: HSRP on 6509 [7:15570]
OK, it seems that my 6509 is running an a hybrid mode. It has 2 supervisor engine cards running CATOS and 2 MSFC cards running IOS. Also, There are multiple groups (one group per VLAN). All group use the first MSFC card for routing ( this is based on the "show standby" on the first card IOS that said all the card is active for all VLANs). I also have EIGRP and NAT running on the first MSFC card (and of course on the second card with same configuration). Problem: - Though the second MSFC card indicated that it is the standby router for all VLANs (verified with "show standby" ), it actually still DOES the routing and load balancing between the VLANs. - Since the second MSFC is also configured for NAT with the exactly NAT translation as the first MSFC, it actually NAT some of the IP addresses. Question: - Is there any way to keep the EIGRP still on both MSFC IOS and keep the second MSFC stay standby still (no routing, no load balancing, no natting and nothing else), listen and only kick off if the first MFSC died? Thanks All for the help and suggestion!!! Thomas ""Thomas N."" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi All, > > I have a problem here with HSRP on 6509. The Cisco 6509 has 2 MSFC cards. > As I understand correctly, only the first card (active one) does the > routing. The second card (standby one) should do NOTHING, unless the first > card goes down (please correct me if I am wrong). In my case, things are > different. It seems both cards do the routing. When I do a trace on a > destination, the result flips flop between the actually IP addresses of the > vlan on both cards. Let's say I have VLAN 100 with: > > Virtual IP address = 10.100.1.100 255.255.0.0 > IP address on first card (active) = 10.100.1.1 255.255.0.0 > IP address on second card (standbly) = 10.100.1.2 255.255.0.0 > > When I do the trace on a destination that pass through this 6509, some path > includes 10.100.1.1, while other includes 10.100.1.2 > > Is there some way I can check if the HSRP is configured correctly on my > 6509? Thanks in advance! > > Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15581&t=15570 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RIPv2 [7:16105]
Hi All, I wonder if RIPv2 support load balancing? Does it choose path based on the hop count only? Thanks All!!! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16105&t=16105 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Boot IOS from PCMCIA card [7:16106]
Hi All, On my Cisco 3620 router, I have two different IOS images. One is on the internal SIMM flash. The other is on the PCMCIA flash card. I would like the router to boot the image from the PCMCIA card instead of the internal flash. What command should I use? Thanks and sorry for the simple question! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16106&t=16106 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2524 and 2501 back to back [7:16028]
There is some article on Cisco web site at show how to connect routers back-to-back using the AUX ports. So I think you can apply this to your two routers, unless you intent to use the AUX ports for something else. Thomas ""Charles Ryan"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello group, > > Sorry if this has been covered before, I've checked the archives and I can't > seem to find anything relevant to my question. > > I have a 2524 with a built in FT1/T1 csu-dsu module, and I wish to connect > it back to back with a 2501 (DB-60 on the serial port). > > I'm trying to figure out how I could go about doing it without having to > attempt to find a 5-in-1 serial module for the 2524. Do I need to get > another csu/dsu for the 2501 and then connect them together that way (with > the RJ-45 cable from the 2524 going into the other csu/dsu, then the > V.35/DB-60 going into the 2501 serial port)? > > Sorry for the basic question, if anyone out there has done this, I would > greatly appreciate hearing from you. Appreciate any and all help with this, > links, etc. are also greatly appreciated. > > Thanks! > > -Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16107&t=16028 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Boot IOS from PCMCIA card [7:16106]
Thanks All!!! Thomas ""Nigel Taylor"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Thomas, > You've got a couple of choices.. you could move the IOS > image from the PCMCIA card to the physical Flash of the router and just boot > it as normal. The other choice is to add the command "boot system" and tell > it which IOS image to use... > > HTH > > Nigel . > > - Original Message - > From: Thomas N. > To: > Sent: Tuesday, August 14, 2001 10:36 PM > Subject: Boot IOS from PCMCIA card [7:16106] > > > > Hi All, > > > > On my Cisco 3620 router, I have two different IOS images. One is on the > > internal SIMM flash. The other is on the PCMCIA flash card. I would like > > the router to boot the image from the PCMCIA card instead of the internal > > flash. What command should I use? Thanks and sorry for the simple > > question! > > > > Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16117&t=16106 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RIPv2 [7:16105]
Here is my scenario: My CAT6509 has 2 supervisor1 and 2 MSFC1. It runs HSRP in the Hyrid mode. On this box, I also run EIGRP and NAT. Every VLANs on the first msfc card have higher priority and therefore in active mode. VLANs on 2nd card have lower priority and therefore should be in standby mode. Here are the problem: - In Hyrid mode of HSRP, both MSFCs on the same chassis will be active and do the routing. - EIGRP sees paths through these VLANs (on both MSFCs) with the EXACTLY same metric and therefore does the load balancing. - With the NAT (static) turned on on both MSFCs, translated (NATed) packets get confused between outside and inside VLANs because of EIGRP load balancing. I wonder if replacing EIGRP protocol with RIPv2 will solve the problem? since RIPv2 metric is based on hop counts. Below is my configuration on 2 MSFCs: -- MSFC # 1 interface vlan 10 ip address 10.10.100.1 255.255.0.0 ip nat inside standby 10 priority 100 standby 10 ip 10.10.100.100 interface vlan 20 ip address 10.20.100.1 255.255.0.0 ip nat inside standbly 20 priority 100 standby 20 ip 10.20.100.100 interface vlan 30 ip address 198.198.198.1 255.255.255.0 ip nat outside standby 30 priority 100 standby 30 ip 198.198.198.100 Router EIGRP 200 network 10.0.0.0 no auto-summary - MSFC # 2 interface vlan 10 ip address 10.10.100.2 255.255.0.0 ip nat inside standby 10 priority 50 standby 10 ip 10.10.100.100 interface vlan 20 ip address 10.20.100.2 255.255.0.0 ip nat inside standbly 20 priority 50 standby 20 ip 10.20.100.100 interface vlan 30 ip address 198.198.198.2 255.255.255.0 ip nat outside standby 30 priority 50 standby 30 ip 198.198.198.100 Router EIGRP 200 network 10.0.0.0 no auto-summary - Again, Thanks All! Thomas N. ""Nigel Taylor"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Thomas, > Yes... Yes.. I'll expand on my first "Yes" in > saying that the load balancing would be dependent on the model router and > what type of switching you were doing on the interface of the router. > > HTH > > Nigel.. > > - Original Message - > From: Thomas N. > To: > Sent: Tuesday, August 14, 2001 10:31 PM > Subject: RIPv2 [7:16105] > > > > Hi All, > > > > I wonder if RIPv2 support load balancing? Does it choose path based on > the > > hop count only? Thanks All!!! > > > > Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16121&t=16105 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: problems with uploading cisco image [7:16404]
That boot ROM is too old. It cannot recognize the 8MB flash module. You need at least boot ROM version 5.2 in order to read the 8MB flash module. The latest boot ROM is 11.0(10c) I believe. You can get these boot ROM from Cisco. Thomas N. ""Rik Thomas"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Here is the error I keep getting, download seems to complete fine, I have > downloaded it three times keep getting the same error? Any wisdom? > > Verifying checksum... invalid (expected 0xF45, computed 0xCF6D) > Flash copy took 176832 msecs > Router(boot)#reload > [confirm]y > System Bootstrap, Version 4.14(9.1), SOFTWARE > Copyright (c) 1986-1994 by cisco Systems > 2500 processor with 16384 Kbytes of main memory > > -- > Rik Thomas > [EMAIL PROTECTED] http://SmartBackups.com > Is your Website Smart? Automated Website backups. Free 30Day trial! > Ph: 302.672.7314 Fx: 302.672.7315 ICQ: 879956 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16425&t=16404 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Difficulty - CCIE written or CCNP [7:16504]
Sorry I cannot answer. However I do have additional question. Can one take CCIE written exam, then CCIE lab exam and become CCIE without going through CCNA and CCNP??? ""James Harris"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Would anyone who has taken the CCNP and the CCIE written exam > care to advise which is the hardest? I hear the CCIE written > exam is very basic. It certainly covers some simple topics but > would a candidate need to know networking to CCNP level or > higher to achieve thes pass mark? Put another way, how would you > compare two people, one with CCNP and not CCIE written, the > other with the CCIE written and not CCNP? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16514&t=16504 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Difficulty - CCIE written or CCNP [7:16504]
Thanks All for the info!!! Thomas N. ""EA Louie"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > yes. they are different certification programs > > - Original Message - > From: Thomas N. > To: > Sent: Sunday, August 19, 2001 8:31 PM > Subject: Re: Difficulty - CCIE written or CCNP [7:16504] > > > > Sorry I cannot answer. However I do have additional question. Can one > take > > CCIE written exam, then CCIE lab exam and become CCIE without going > through > > CCNA and CCNP??? > > > > > > > > ""James Harris"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Would anyone who has taken the CCNP and the CCIE written exam > > > care to advise which is the hardest? I hear the CCIE written > > > exam is very basic. It certainly covers some simple topics but > > > would a candidate need to know networking to CCNP level or > > > higher to achieve thes pass mark? Put another way, how would you > > > compare two people, one with CCNP and not CCIE written, the > > > other with the CCIE written and not CCNP? > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16610&t=16504 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Configure Register on Cisco 2500 router - urgent! [7:17087]
Hi All, Cisco 2500 have the factory-default setting of 0x2102 for the register. This will boot from the IOS image on the flash WITH the configuration on the NVRAM. I wonder what other value I can use beside this 0x2102? My original problem was that I just upgraded the IOS for this Cisco 2500 router. The upgrade was successfully. I got the correct checksum. The register setting was then changed back t the factory-default 0x2102 (changed to 0x2141 for booting from Boot mode to upgrade the image). However, when I rebooted the router, the router kept reseting itself. I wonder if there is any other value beside 0x2102 that I can use for the register to let the router boot from the flash with the configuration? The router was also hardware upgrade with: - Boot ROM = 11.0(10c) - 16MB flash - 16MB memory The new IOS image is IP/H.323 version 12.2(1) Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17087&t=17087 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Connect 6509 with CONSOLE [7:17983]
Hi All, I attempted to access to the CAT 6509 with the CONSOLE port today. This 6509 is in production. It appeared that I didn't get any output on my HyperTerminal. My HyperTerminal setting is: 9600 bits per second, Data bits = 8, Parity = none, Stope bit = 2 (as indicated on Cisco.com), Flow control = none. There's also a little hidden hole right next to the CONSOLE port labelled as "Console mode...". I don't know if I have to change something to access the console? Also, if I have to press that hidden hole to access the Console mode, will it affect the production enviroment? Thanks All in advance! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17983&t=17983 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Connect 6509 with CONSOLE [7:17983]
Thanks All! I changed the cable and it worked! ""Jeff Gercken"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I carry a 2" rollover cable and a coupler as well as the std 3' rollover. > This way if you can always create the cable that works. > > PS I hate that little button. I love what it does but I never have anything > to poke it with. Need to tape a paper clip to each switch. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18134&t=17983 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Reseting Supervisor Engine and/or MSFC [7:18138]
Hi All, My 6509 has dual Supervisor Engines and dual MSFC cards. It runs in Hyrid mode. I plan to upgrade the IOS of the MSFC cards only, NOT the Supervisor Engines. I wonder: 1. Is IOS version of MSFC dependent on the CATOS version of Supervisor Engine? 2. When I reset after the upgrade, do I have to reset the whole module (Supervisor Engine + MSFC) or just the MSFC? If I cannot reset only the MSFC, in what mode should I issue the reset command? CATOS or IOS in this case (IOS is in session 15 or 16)? Will this reset both the Supervisor and the MSFC? 3. Should I not losing the configuration which I assumed they're saved in NVRAM of the MSFC or Sup. Engine? Again, Thanks much to All!!! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18138&t=18138 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is needed for an ISDN LAB ?? [7:18141]
I heard that if one has an Adtran 800, he/she can use it as the ISDN switch... ""Jaspreet Bhatia"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Guys, > I am trying to setup an ISDN lab and do not have access to > an ISDN switch . What I do have is two BRI lines each with a SPID . Will > that be sufficient or so I need anything else ? Thanks > > Jaspreet Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18157&t=18141 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Working ISL/DOT1Q config [7:18070]
I ran into this problem before. The way you configure would work only if you encapsulate using ISL. If you use the dot1q, you have to configure the physical interface FE0/0 with a management VLAN (VLAN 1 by default). Sub-interfaces will be assigned a different VLAN and encapsulated with dot1q. ""Cisco Lover"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi friends.. > > Can any one send me any working configuration for trunking using cat5 for > intervlan routing.. > > I have followed all the instructions in books and everwhere but still cant > get it work..Donot know where I m wrong.(Config atttached) > > Thanks for the help.. > > Cisco Lover > > > FE router: > > > interface FastEthernet0/0 > no ip address > no ip directed-broadcast > speed 100 > full-duplex > ! > interface FastEthernet0/0.1 > encapsulation dot1Q 1 > ip address 190.100.1.10 255.255.255.0 > no ip directed-broadcast > ! > interface FastEthernet0/0.2 > encapsulation dot1Q 2 > ip address 190.100.2.10 255.255.255.0 > no ip directed-broadcast > > Router1 > > interface Ethernet0 > ip address 190.100.1.1 255.255.255.0 > no ip directed-broadcast > > router2 > interface Ethernet0 > ip address 190.100.2.1 255.255.255.0 > > CAtalyst: > port32:Vlan1 > port33:vlan2 > > set interface sc0 1 190.100.1.20/255.255.255.0 190.100.1.255 > > set interface sl0 down > set interface me1 down > set ip route 0.0.0.0/0.0.0.0 190.100.1.10 > ! > #syslog > set logging level cops 2 default > ! > #set boot command > set boot config-register 0x2 > set boot system flash bootflash:cat4000.5-5-1.bin > set boot system flash bootflash:cat5000-sup3.4-2-1.bin > set boot system flash bootflash:cat4000.5-4-2.bin > ! > #module 1 : 2-port 1000BaseX Supervisor > ! > #module 2 : 34-port 10/100/1000 Ethernet > set vlan 22/33 > set port speed 2/34 100 > set port duplex 2/34 full > clear trunk 2/34 3-1005 > set trunk 2/34 nonegotiate dot1q 1-2 > > > > > > > > > _ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18158&t=18070 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN Management and Reporting for Cisco Site-to-site VPN [7:62418]
Hi All, I am deploying Site-to-site VPN using Cisco IOS routers. I am wondering what software package offering the management, connectivity monitoring of tunnels, and content reporting available? How much it costs? Thanks! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62418&t=62418 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
EIGRP vs. OSPF [7:62419]
Hi All, I have been using EIGRP for our routing protocol for the last couple years, which is prettly great. The controversal of selecting the routing protocol came up again recently. I would like to have your opinion on EIGRP vs. OSPF, which one is refered? What's the weakness and advantage? Thanks! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62419&t=62419 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EIGRP vs. OSPF [7:62419]
Interesting! I learned OSPF on BSCN book but never deploy it. EIGRP has been very easy to configured and very fast converged comparing to RIP/RIPv2. It seems OSPF gets lots of favor as a stardard protocol. I am curious if OSPF support load sharing on equal / unequal paths? Thanks All for the input! Thomas ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Good answers. Here are a few additional comments. > > OSPF is an IETF standard, which has the following advantages: > > You have access to the RFCs that describe it, which can help when > troubleshooting and designing network changes, even though the RFCs aren't > very readable. > > Engineers from around the world can enhance OSPF, using standard IETF > procedures and taking advantage of IETF work on advanced routing protocol > features. > > > EIGRP is not an IETF standard. You said below that the spec if available, > but that's not true. Cisco has lots of documentaton on EIGRP but they have > not released a specification for it. > > The fact that EIGRP is not a standard means that it probably won't be able > to take advantage of new IETF work, or at least not as easily, and not with > so much input from engineers around the world. > > > By the way, EIGRP converges very quickly too. And it doesn't use load and > reliability in its metric by default. Also it passes MTU info around, but > MTU isn't part of the metric. In fact, figuring out exactly how a router > running EIGRP uses MTU is one of those things that you can't find a > specification on. > > > Good discussion! > > Priscilla > > > [EMAIL PROTECTED] (Kaj J. Niemi) wrote: > > > > In mail.net.groupstudy.pro, you wrote: > > > > > I have been using EIGRP for our routing protocol for the > > last couple years, > > > which is prettly great. The controversal of selecting the > > routing protocol > > > came up again recently. I would like to have your opinion > > on EIGRP vs. > > > OSPF, which one is refered? What's the weakness and > > advantage? Thanks! > > > > - OSPF is pretty much supported by all vendors nowadays. > > - OSPF calculates a tree from the point of origin using > > Dijkstra's > > algorithm (SPF) > > - OSPF is a link-state protocol, you get really fast > > convergence by tuning > > the timers > > - All area 0 (ie. backbone) routers have a complete overview of > > the > > network > > - Easy to deploy > > - By default link-cost is calculated from the bandwidth of the > > link > > - Only for IP > > - Filtering on ABR/ASBR only, between areas preferably > > > > - EIGRP, although the spec is available, only you usually find > > it on only > > brand Ci$co routers. > > - EIGRP calculates it's view of the world using DUAL (Diffusing > > update > > algorithm) > > - Router stores its neighbors routing tables and queries its > > neighbors if > > no specific route is found > > - It's pretty much a distance-vector protocol with some > > features borrowed > > from link-state ones. > > - Pretty easy to deploy > > - Is bugwards compatible with IGRP > > - Works with IP and IPX > > - Easy to filter and aggregate, on any interface (ie you can do > > "areas" > > quite easily) > > - Takes into account path reliability, loading, MTU, lowest > > bandwidth > > between destinations, total delay when calculating the best > > way of > > getting to the destination. > > - Enterprise people tend to prefer EIGRP over others because > > it's easy to > > do ISDN backup with it > > > > > > Most people would nowadays choose OSPF because their CIOs might > > want to > > keep a second vendor option on the table. Service providers > > would probably > > choose IS-IS (my favorite) or OSPF. > > > > > > > > // kaj Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62459&t=62419 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Dynamic Multipoint VPN (DMVPN) [7:63000]
Hi All, Cisco announced the new feature of Dynamic Multipoint VPN on the new Cisco IOS 12.2(13)T version. I wonder if anyone has implemented it yet? How is it working? Couple concerns I am having if designing our WAN using this new feature: - Does it support "RSA nonces" authentication? - Could it be implemented with both static crypto map to one hub site and DMVPN to the other hub site (DMVPN hub/server)? - Does it support QoS? Thanks All! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63000&t=63000 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: layer 3 switch [7:63407]
By default, all 3550 acts as a layer-2 switch. In order to provide layer-3 routing, you will have to put on the "ip routing" on the global configuration mode. Also, All interfaces on the boxes are set as layer-2 switch (no ip address). Thomas wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello All: > > Question - By default, out of the box, will a L3 switch simply act as a L2 > switch? > > I am planning to purchase a Cisco 3550-12G, along with other fiber gigabit > ready L2 switches for a LAN upgrade. The current LAN is one huge flat > network with a mixture of hubs and switches. I plan to install the 3550 and > use it simply as a device to connect the different areas. I do not want the > 3550 to act as a L3 switch to start. Is it possible to install this switch > and have it act as a L2 device. I would then later start segmenting and > enabling the L3 functions of the 3550. > > Any other suggested implementation methods? > > This goes along well with my current CCNP switching exam studies, nothing > like a little OJT. > > Thanks, > Tim > > > > > > > Note: This e-mail contains PRIVILEGED and CONFIDENTIAL information intended > only for the use of the specific individual or entity named above. If you or > your employer is not the intended recipient of this e-mail or an employee or > agent responsible for delivering it to the intended recipient, you are > hereby notified that any unauthorized dissemination or copying of this > e-mail is strictly prohibited. If you have received this transmission in > error, please immediately delete the message and advise the above by > telephone, email or fax response to this message. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63435&t=63407 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VLAN loop problem [7:66656]
Hi All, I got a problem in the production campus LAN here between VLANs. Please help me out! Below is the scenario: We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) subnets. Routing is enable/allowed between the two subnets using MSFC of the 6500. Each subnet has a DHCP server to assign IP address to devices on its subnet. Spanning-tree is enable; however, portfast is turned on on all non-trunking/uplink ports. Recently, devices on VLAN 10 got assigned an IP address of 10.20.x.x , which is from the DHCP on the other scope and also from 10.10.x.x scope, and vice versa. It seems that we a loop somewhere between the 2 subnets but we don't know where. I noticed lots of end users have a little unmanged hub/switch hang off the network jacks in their cubicals and potentially cause loop. Is there any way that we can block the loop on the Cisco switches without visiting cubicals taking those little umanaged hubs/switches? Thanks! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66656&t=66656 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VLAN loop problem [7:66656]
No, we don't have portfast bpdu-guard enabled. What does it do? Thanks Larry! Thomas ""Larry Letterman"" wrote in message news:[EMAIL PROTECTED] > port mac address security might work, altho its a lot of admin > overhead..are you running portfast bpdu-guard on the access ports? > > > Larry Letterman > Network Engineer > Cisco Systems > > > - Original Message - > From: Thomas N. > To: [EMAIL PROTECTED] > Sent: Tuesday, April 01, 2003 8:14 PM > Subject: VLAN loop problem [7:66656] > > > Hi All, > > I got a problem in the production campus LAN here between VLANs. Please > help me out! Below is the scenario: > > We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) subnets. Routing is > enable/allowed between the two subnets using MSFC of the 6500. Each subnet > has a DHCP server to assign IP address to devices on its subnet. > Spanning-tree is enable; however, portfast is turned on on all > non-trunking/uplink ports. Recently, devices on VLAN 10 got assigned an IP > address of 10.20.x.x , which is from the DHCP on the other scope and also > from 10.10.x.x scope, and vice versa. It seems that we a loop somewhere > between the 2 subnets but we don't know where. I noticed lots of end users > have a little unmanged hub/switch hang off the network jacks in their > cubicals and potentially cause loop. > > Is there any way that we can block the loop on the Cisco switches without > visiting cubicals taking those little umanaged hubs/switches? Thanks! > > Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66699&t=66656 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VLAN loop problem [7:66656]
What does "portfast bpdu-guard" do? Does it prevent interfaces with portfast enabled from causing the loop in my scenario? ""Larry Letterman"" wrote in message news:[EMAIL PROTECTED] > port mac address security might work, altho its a lot of admin > overhead..are you running portfast bpdu-guard on the access ports? > > > Larry Letterman > Network Engineer > Cisco Systems > > > - Original Message - > From: Thomas N. > To: [EMAIL PROTECTED] > Sent: Tuesday, April 01, 2003 8:14 PM > Subject: VLAN loop problem [7:66656] > > > Hi All, > > I got a problem in the production campus LAN here between VLANs. Please > help me out! Below is the scenario: > > We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) subnets. Routing is > enable/allowed between the two subnets using MSFC of the 6500. Each subnet > has a DHCP server to assign IP address to devices on its subnet. > Spanning-tree is enable; however, portfast is turned on on all > non-trunking/uplink ports. Recently, devices on VLAN 10 got assigned an IP > address of 10.20.x.x , which is from the DHCP on the other scope and also > from 10.10.x.x scope, and vice versa. It seems that we a loop somewhere > between the 2 subnets but we don't know where. I noticed lots of end users > have a little unmanged hub/switch hang off the network jacks in their > cubicals and potentially cause loop. > > Is there any way that we can block the loop on the Cisco switches without > visiting cubicals taking those little umanaged hubs/switches? Thanks! > > Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66711&t=66656 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VLAN loop problem [7:66656]
I'll check it out tomorrow. Thanks much Larry! Thomas ""Larry Letterman"" wrote in message news:[EMAIL PROTECTED] > Yes, > it prevents loops in spanning tree on layer 2 switches from causing a loop > by disabling the port on a cisco switch... > > > Larry Letterman > Network Engineer > Cisco Systems > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > > Thomas N. > > Sent: Wednesday, April 02, 2003 12:18 PM > > To: [EMAIL PROTECTED] > > Subject: Re: VLAN loop problem [7:66656] > > > > > > What does "portfast bpdu-guard" do? Does it prevent interfaces with > > portfast enabled from causing the loop in my scenario? > > > > > > ""Larry Letterman"" wrote in message > > news:[EMAIL PROTECTED] > > > > > port mac address security might work, altho its a lot of admin > > > overhead..are you running portfast bpdu-guard on the access ports? > > > > > > > > > Larry Letterman > > > Network Engineer > > > Cisco Systems > > > > > > > > > - Original Message - > > > From: Thomas N. > > > To: [EMAIL PROTECTED] > > > Sent: Tuesday, April 01, 2003 8:14 PM > > > Subject: VLAN loop problem [7:66656] > > > > > > > > > Hi All, > > > > > > I got a problem in the production campus LAN here between > > VLANs. Please > > > help me out! Below is the scenario: > > > > > > We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) subnets. > > Routing is > > > enable/allowed between the two subnets using MSFC of the 6500. Each > > subnet > > > has a DHCP server to assign IP address to devices on its subnet. > > > Spanning-tree is enable; however, portfast is turned on on all > > > non-trunking/uplink ports. Recently, devices on VLAN 10 got > > assigned an > > IP > > > address of 10.20.x.x , which is from the DHCP on the other scope and > > also > > > from 10.10.x.x scope, and vice versa. It seems that we a > > loop somewhere > > > between the 2 subnets but we don't know where. I noticed lots of end > > users > > > have a little unmanged hub/switch hang off the network jacks in their > > > cubicals and potentially cause loop. > > > > > > Is there any way that we can block the loop on the Cisco switches > > without > > > visiting cubicals taking those little umanaged hubs/switches? Thanks! > > > > > > Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66724&t=66656 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RJ48-RJ48 cable [7:70596]
Hi All, I am wondering what is the difference between the RJ48 and RJ45 connector/cable? I am setting a router with a integrated CSU/DSU (WIC-1DSU-T1) with a T1 RJ48 connection hand off by the ISP. They however do not provide the cable. Could I make a cable with RJ45 connectors for this? What would be the pinout for both end of the cable? Does the direction of the cable connection matter? It's urgent. Please help. Thanks in advance! Thomas. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70596&t=70596 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
831s crash [7:70650]
Hi All, I got couple 831 routers and deployed VPN tunnel on the network. They work pretty well for a SOHO, except that they crash when I put the "show ip route *". This happens to all 831s I have. I upgraded to the latest IOS but still have the same problem. Anyone know the fix for this? Thanks! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70650&t=70650 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RJ48-RJ48 cable [7:70596]
Thanks Scott! So if I didn't understand it wrong, I can just use a regular CAT5 Ethernet cable (with all 8 pin) to connect the WIC-1DSU-T1 on the router to that RJ48 hand-off connector from the ISP? Again, thanks! Thomas ""Scott Chau"" wrote in message news:[EMAIL PROTECTED] > A regular cat5 ethernet cable would work. It used pin 1,2,4,5. > Scott > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Thomas N > Sent: Thursday, June 12, 2003 2:39 PM > To: [EMAIL PROTECTED] > Subject: RJ48-RJ48 cable [7:70596] > > > Hi All, > > I am wondering what is the difference between the RJ48 and RJ45 > connector/cable? I am setting a router with a integrated CSU/DSU > (WIC-1DSU-T1) with a T1 RJ48 connection hand off by the ISP. They however > do not provide the cable. Could I make a cable with RJ45 connectors for > this? What would be the pinout for both end of the cable? Does the > direction of the cable connection matter? It's urgent. Please help. Thanks > in advance! > > Thomas. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70649&t=70596 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VLAN configuration question [7:18696]
You cannot have the same network assigned to different interfaces/sub-interfaces ""Sean Knox"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > On a Cisco router/switch running IOS with VLAN capabilities (i.e. 8500) can > a physical interface have an IP address if a subinterface off the same > physical interface has an IP and is actively participating in a VLAN? i.e. > > Router(enable)# conf t > Router(config)# interface 1/0 > Router(config-if)# ip addr 10.10.10.50 255.255.255.0 > Router(config-if)# interface 1/0.1 > Router(config-if)# ip address 10.10.10.1 255.255.255.0 > Router(config-if)# encapsulation dot1q 15 > > Are there any problems forthcoming in this setup? I seem to remember there > was, but I have no equipment to verify this. > > Thanks! > Sean Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18699&t=18696 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VLAN configuration question [7:18696]
Well, I used to test VLANs before. Here is what I did: - If you use ISL for encapsulation, then you should not assign IP address to the physical interface. - If you use 802.1q for encapsulation, then you must assign an IP address to the physical interface. This IP address (network) must be the management VLAN/network (VLAN 1 by default). Also, the default-gateway is supposed to point to the management VLAN, which is the IP address of the physical interface. ""Michael L. Williams"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I can't say 100% why this is, but imagine if you configure a switchport to > be a trunk link, and at the same time expect it to handle regular ethernet > traffic over the same line (along with the trunked signal) > > Mike W. > > "Sean Knox" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > That's what I thought. Is this because the main interface needs to be > > bridging? If not, what is the reasoning behind this? > > > > Thanks, > > Sean > > > > > > ""Baker, Jason"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > yes there is amjor flaw in your config. > > > > > > if you are using vlans which means subinterfaces, if you put an IP > address > > > on the main interface > > > it will not work. > > > > > > so remove the ip address on interface 1/0 and you should be fine. > > > > > > > > > > > > > -Original Message- > > > > From: Sean Knox [SMTP:[EMAIL PROTECTED]] > > > > Sent: Thursday, 6 September 2001 7:39 am > > > > To: [EMAIL PROTECTED] > > > > Subject: VLAN configuration question [7:18696] > > > > > > > > On a Cisco router/switch running IOS with VLAN capabilities (i.e. > 8500) > > > > can > > > > a physical interface have an IP address if a subinterface off the same > > > > physical interface has an IP and is actively participating in a VLAN? > > i.e. > > > > > > > > Router(enable)# conf t > > > > Router(config)# interface 1/0 > > > > Router(config-if)# ip addr 10.10.10.50 255.255.255.0 > > > > Router(config-if)# interface 1/0.1 > > > > Router(config-if)# ip address 10.10.10.1 255.255.255.0 > > > > Router(config-if)# encapsulation dot1q 15 > > > > > > > > Are there any problems forthcoming in this setup? I seem to remember > > there > > > > was, but I have no equipment to verify this. > > > > > > > > Thanks! > > > > Sean Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18753&t=18696 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCNA question with routing setup [7:18572]
Well, your configuration seem to miss something. Make sure that from one router, you can ping the IP address of the serial port of the other router. This will make sure that your frame-relay setting is working. If you cannot ping the serial of the other router, make sure you put "no keepalive" on the serial interface of each router. Assign DLCI number to the serial port and map the PVC using "frame-relay map..." RIPv1 (or RIP) does not support VLSM (variable length subnet mask), which is classless address. When you put: Router RIP network 192.168.0.0 It will automatically summarize the network to be 192.168.0.0 / 24, which none of your networks belongs to. If you run latest IOS, you can use RIPv2, which allows you to turn off the Auto-Summary. To enable RIP version 2, configure both routers as follow: Router RIP version 2 network 192.168.0.0 no auto-summary Good luck! ""xie rootstock"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > sorry, my last posting is wrong, you should set network 192.168.100.0, not > network 192.168.0.0 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18755&t=18572 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: how to configure Hub and Spoke enviornmentwith [7:18504]
Also, make sure that you put "no keepalive" on the physical interface. ""MADMAN"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Just set up the routers back ot back, giving the DCE a clockrate, > encapsulate frame and set up your subinterfaces, DLCI 16 to 16, 17 to 17 > etc... that should work though I have never tried it... > > Dave > george gittins wrote: > > > > how would one configure a hub and spoke enviornment with suninterfaces? > > im using dce and dte back to back? i can do a normal frame-relay , but > what > > about other scenarios? > -- > David Madland > Sr. Network Engineer > CCIE# 2016 > Qwest Communications Int. Inc. > [EMAIL PROTECTED] > 612-664-3367 > > "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18756&t=18504 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Boot image from the PCMCIA card [7:19076]
Hi All, My Cisco 3620 router has both internal flash SIMM and the external PCMCIA flash card. Each flash hold a different version of the IOS image. If I want the router to boot from the IOS image from the PCMCIA card, what boot system command should I use? Thanks! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19076&t=19076 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Question on routing [7:19083]
Hi All, I ran into a scenario below and I am not sure what path router A will choose to reach the destination network, 10.50.0.0 / 255.255.0.0, on router B. 10.1.1.1 / 255.255.0.0 | --S0- Router A-S1- || || || || --S0-Router B- S1-- | E0 = 10.50.1.1 / 255.255.0.0 --- Router A configuration: Interface serial 0 ip address 172.16.1.1 255.255.255.0 no shut Interface Serial 1 ip address 172.16.2.1 255.255.255.0 no shut Interface Ethernet 0 ip address 10.1.1.1 255.255.0.0 EIGRP 200 network 172.16.1.0 network 10.0.0.0 no auto-summary ip classless ip route 10.48.0.0 255.224.0.0 serial 1 Router B configuration Interface serial 0 ip address 172.16.1.2 255.255.255.0 no shut Interface Serial 1 ip address 172.16.2.2 255.255.255.0 no shut Interface Ethernet 0 ip address 10.50.1.1 255.255.0.0 no shut EIGRP 200 network 172.16.1.0 network 172.16.2.0 network 10.0.0.0 no auto-summary -- In this scenario, I assume router B knows how to reach 10.1.1.1 using both serial ports with EIGRP (administrative distance = 90). Router A has two paths to reach 10.50.1.1 destination: 1st path is learned through EIGRP with administrative distance of 90; the 2nd path is with the static route with network 10.48.0.0 and subnet mask of 255.224.0.0 or 12 bits. If I am not wrong, 10.48.0.0 / 255.224.0.0 will cover a range of IP addresses from 10.48.0.0 to 10.63.255.255; therefore, 10.50.1.1 falls into this scope. If I do the "show ip route", I will see both routes 10.50.0.0 / 16 and 10.48.0.0 / 12. My questions are: 1. With those 2 paths to reach 10.50.1.1, which path Router A will choose as a primary path? 2. If the path between 2 serial 0 of the 2 routers is down, Can router A reach 10.50.1.1 on router B with such a static route? Thanks All! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19083&t=19083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Video/Voice over IP [7:19351]
Hi All, My company is concerning about running voice/video over IP network. Our WAN is running on fractial T1, so bandwidth limitation is a big problem to us. What will be the mininum bandwidth requirement for voice and video traffic? 128k? Thanks! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19351&t=19351 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Modules for Voice/IP [7:19355]
I started working on the voice/video over IP project and considering about the hardware needed. From Cisco, they have IP/VC 3520 boxes acting as the gateways between the IP network and the PSTN. However, it seems they also have modules for Cisco 2600/3600 that act in the same manner as those IP/VC 3520. Do you think I can substitute these modules with the IP/VC 3520 so that I can convert my IP network to PSTN for voice and video (said, conference room...)??? What models should I use for 2600 and 3600? Thanks All! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19355&t=19355 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Question on routing [7:19083]
Hi All, First, let me sorry for the inaccurate information in the puzzle. The static IP address 10.48.0.0 is with 12 bits subnet mask (255.240.0.0, NOT 255.224.0.0). I didn't have my subnet calculator last time. So, the scope of IP address for 10.48.0.0/255.240.0.0 will include 10.48.0.0 to 10.63.255.255. Well, for more specific information, I am setting up a lab in which routes are learning dynamically with EIGRP while having a static routing pointing for a dummy VPN boxes for redundancy. These VPN boxes only do static mapping for routes. If the primary link between the two hub sites (learning through EIGRP) got killed, the first hub site is supposed to route its spokes and its subnets to reach the other hub and other spokes with static routes. However, instead of putting a bundle of static routes, I decided to use summaried routes (10.48.0.0/255.240.0.0) to cover. Thing is not that simple. The router might think 10.48.0.0/12 and 10.50.0.0/16 as two separate networks. If following the "more specific rule", the 10.50.0.0 network should act as the primary even it has administrative distance of 90. So the 10.48.0.0/12 should be ignored even it has an administrative distance of 1. In this case, I don't even need the floating static route (make a static route with admin. distance greater than 90), in order to make the static route as the secondary route for backup. Should my analyze correct? I might setup the lab and see what the routers will act. However, I would like to test my theory and analyzing... Please give me your thought! Thanks! Thomas N. ""David Goddard"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Thomas, > > This question has a lot of strange inaccuracies in it, but here we go... > > 1. The routing path chosen will always use the "longest match rule", in > other words between 10.50.0.0/16 and 10.32.0.0/12 the route chosen will be > the 10.50.0.0/16. > > 2. Your mask is bad for the static route... if you want routes 10.32.0.0 to > 10.63.0.0 to be included, the static route would read: > > ip route 10.32.0.0 255.224.0.0 serial 1 > > 3. Enabling eigrp requires the command ROUTER EIGRP 200, not just EIGRP 200 > > 4. When you add the network statements > network 172.16.1.0 > network 172.16.2.0 > to your EIGRP process, it will come out simply as > network 172.16.0.0 > and enable the EIGRP process on both Serial 0 and Serial 1 of both routers. > So although you may think that you didn't put in the network statement on > router A for 172.16.2.0, it will still enable EIGRP on Serial 1. So when > Serial 0 goes down, routing will still continue over Serial 1. > > Try testing your configs out in a lab and you'll see pretty quickly what I > mean. > > Dave Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19374&t=19083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Video/Voice over IP [7:19351]
Thanks much to Andras and others! Andras, when you said you had all units configured not to run at rate greater than 256k, and the quality is still OK or good; I assumed you had both video and voice traffice over those PVCs, such as NetMeeting application? Again, Thanks alot for all of the info! Thomas N. ""Andras Bellak"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > We are currently running a mix of polycom mp and fx units via h.323 on > our WAN. We have set all the units to not run at any speed greater than > 256k. The video quality is great on all of them, even those going into > questionaable frame networks such as Mexico. Our latency from our > headquarters in San Diego to the various video systems ranges from 40ms > to 210ms. Our WAN is composed of IP-enabled Frame links (AT&T's way of > saying MPLS VPN) with the occasionally frame pvc in place. If you are > going to depend on the video quality being good, you should look into > implementing some form of QOS on the network. Most people do this with > voice having a higher rating through the WAN, but we've found that > glitches are more easily recognized and complained about on the video > side. > > We are also running voice over the same network, but not the the same > degree. Our voice system is Lucent based, and simply ties into our LAN's > in each office that is connected with Lucent PBX systems. The voice > quality is decent over the links, at least good cell phone quality, and > the latency is minimal. One thing to be concerned about with voice is > it's high demands for bandwidth per call. The Lucent system uses 64K per > connection (which really doesn't measure out quite that high). Using > analog phones with FXS and FXO cards in cisco routers generates sound > quality that is at least as good, and lower overhead. But it is more > difficult to integrate into an existing homogenous network (if you have > disparate pbx systems, take a look at the cisco method). I haven't > worked with the cisco ip phone solutions on my network, but understand > from colleagues that they work extremely well. > > On the video side, try to test a few different systems that meet your > needs, even trying different systems from different manufacturers. There > is often a noticable difference in video quality depending on the > systems (ie - our polycom fx h.323 systems have far better video > performance than our polycom mp units with h.323 - but the fx doesn't > have built in isdn and cost quite a bit more). > > Have fun with this if you can - video and voice over ip are great ways > to wow upper management teams and are fun to play with. > > Good luck > > Andras Bellak > Director, WAN Engineering > > > > -Original Message- > From: Brian Whalen [mailto:[EMAIL PROTECTED]] > Sent: Monday, September 10, 2001 8:42 PM > To: [EMAIL PROTECTED] > Subject: RE: Video/Voice over IP [7:19351] > > > Many people agree with the below, that 384k is the minimum for > reasonable > live video.. > > Brian "Sonic" Whalen > Success = Preparation + Opportunity > > > On Mon, 10 Sep 2001, Leigh Anne Chisholm wrote: > > > As Manager, Voice/Data systems at the law firm I worked at, we demo'd > two > > different Videoconferencing technologies. I don't remember the first > > vendor, but the second we looked at was Polycom. For both, I had 3 > ISDN > > lines installed (3 x 128 kbps = 384 kbps). Use that as a ballpark > figure > > for video - if you're going to use specialized videoconferencing > equipment. > > > > > > -- Leigh Anne > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf > Of > > > Thomas N. > > > Sent: Monday, September 10, 2001 8:35 PM > > > To: [EMAIL PROTECTED] > > > Subject: Video/Voice over IP [7:19351] > > > > > > > > > Hi All, > > > > > > My company is concerning about running voice/video over IP > > > network. Our WAN > > > is running on fractial T1, so bandwidth limitation is a big problem > to > us. > > > What will be the mininum bandwidth requirement for voice and > > > video traffic? > > > 128k? Thanks! > > > > > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19375&t=19351 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Video/voice over IP [7:19905]
Hi All, In my lab scenario, I have an conference video camera that is connected to the LAN. On the router, I have a 2600 router with a VIC-2BRI-NT/TE module. This VIC-2BRI-NT/TE mdule is then connected to the a MCU from the ISP provider for video conference (say, AT&T). Do you think it is possible to implement so that my video conference camera can call the ISP MCU with ISDN lines using the gateway mdule VIC-2BRI-NT/TE? Thanks!!! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19905&t=19905 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Video/voice over IP [7:19905]
Sorry I missed my topology: ISDN video conf. camera | Video conf. camera ---Ethernet0-Router-VIC-2BRI-NT/TEISDN cloud---ISDN video conf. camera | AT&T MCU Can my IP conf. video camera talk with ISDN video conf. camera using this VIC-2BRI-NT/TE module? ""Thomas N."" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi All, > > In my lab scenario, I have an conference video camera that is connected to > the LAN. On the router, I have a 2600 router with a VIC-2BRI-NT/TE module. > This VIC-2BRI-NT/TE mdule is then connected to the a MCU from the ISP > provider for video conference (say, AT&T). Do you think it is possible to > implement so that my video conference camera can call the ISP MCU with ISDN > lines using the gateway mdule VIC-2BRI-NT/TE? Thanks!!! > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19906&t=19905 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Video/voice over IP [7:19905]
Hm... my topology messed up with the line swapping. Here it goes again: - video conf. camera | Ethernet0 | Router | VIC-2BRI-NT/TE | ISDN cloud | ISDN video conf. camera ""Thomas N."" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Sorry I missed my topology: > > > ISDN video conf. camera > > | > Video conf. camera ---Ethernet0-Router-VIC-2BRI-NT/TEISDN > cloud---ISDN video conf. camera > > | > > AT&T MCU > > > Can my IP conf. video camera talk with ISDN video conf. camera using this > VIC-2BRI-NT/TE module? > > > > > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi All, > > > > In my lab scenario, I have an conference video camera that is connected to > > the LAN. On the router, I have a 2600 router with a VIC-2BRI-NT/TE > module. > > This VIC-2BRI-NT/TE mdule is then connected to the a MCU from the ISP > > provider for video conference (say, AT&T). Do you think it is possible to > > implement so that my video conference camera can call the ISP MCU with > ISDN > > lines using the gateway mdule VIC-2BRI-NT/TE? Thanks!!! > > > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19907&t=19905 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Video/voice over IP [7:19905]
Yes, the camera is H323 supported. If the module is not the right one, what module should I use in this case? ""Patrick Donlon"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Thomas does the camera use h323 across the network? if so it should be > possible, I'd be interested to here if it works > > cheers > > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hm... my topology messed up with the line swapping. Here it goes again: > > > > - > > video conf. camera > > | > > Ethernet0 > > | > >Router > > | > > VIC-2BRI-NT/TE > > | > >ISDN cloud > > | > > ISDN video conf. camera > > > > > > > > > > > > > > > > ""Thomas N."" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Sorry I missed my topology: > > > > > > > > > ISDN video conf. camera > > > > > > | > > > Video conf. camera ---Ethernet0-Router-VIC-2BRI-NT/TEISDN > > > cloud---ISDN video conf. camera > > > > > > | > > > > > > AT&T MCU > > > > > > > > > Can my IP conf. video camera talk with ISDN video conf. camera using > this > > > VIC-2BRI-NT/TE module? > > > > > > > > > > > > > > > ""Thomas N."" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Hi All, > > > > > > > > In my lab scenario, I have an conference video camera that is > connected > > to > > > > the LAN. On the router, I have a 2600 router with a VIC-2BRI-NT/TE > > > module. > > > > This VIC-2BRI-NT/TE mdule is then connected to the a MCU from the ISP > > > > provider for video conference (say, AT&T). Do you think it is > possible > > to > > > > implement so that my video conference camera can call the ISP MCU with > > > ISDN > > > > lines using the gateway mdule VIC-2BRI-NT/TE? Thanks!!! > > > > > > > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19928&t=19905 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FastEther Channel [7:20494]
Hi All, I have a Cisco 2621 router with 2 FastEthernet ports, and plan to implement trunking with "Routing on a Stick." I wonder if it is possible to combine the 2 FastEthernet ports on the Cisco 2621 router to create a FastEther Channel, then create a trunk out of that FastEthernet Channel of 200Mbps link? Thanks All! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20494&t=20494 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VoIP quality and Requirement [7:20497]
I am also interesting in implementing VoIP. Based on what I read so far: - Delay should be less then 150ms - Implement Traffic Shaping for Voice (VoIP or VoFR) Thomas N. ""MJ"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Dear All, > > I am planning to implement VoIP between our different office located in > different country. > > All our offices have leased line to Internet normally either of 64K or 128K. > I have 2x64 Leased lines coming from different ISP's. > > Can you suggest me. > 1. What should be avg. Ping in msec between office to have good VoIP. > 2. What should be bandwidth to run one channel, they say 8K, so does that > mean that on 64K leased line I can have 8 Ports working without any problem > ? > > What are the other things that I should look for before setting up VoIP ? > > > Regards, > > Mukul Jain Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20500&t=20497 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Fragmentation [7:20757]
Hi All, Can anyone show me some good URL regarding the Fragmentation for Frame Relay network? Thanks! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20757&t=20757 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
How to purge MLS cache [7:21540]
Hi All, I would like to purge the entries in the MLS cache of the 6509, then let the switch relearn the MAC. What commend should I use? Thanks All! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=21540&t=21540 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to purge MLS cache [7:21540]
Just to clarify, I ONLY want to purge (refresh) the mls cache, but NOT want to disable the mls. So should I use "clear mls ip" or else? Thanks All. ""Dominick Marino"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > clear mls ip > > Regards, > > Dom > > > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi All, > > > > I would like to purge the entries in the MLS cache of the 6509, then let > the > > switch relearn the MAC. What commend should I use? Thanks All! > > > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=21612&t=21540 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Traffic Shaping [7:21991]
Hi All, I implemeted the Traffic Shaping using map-class and assigned to subinterfaces. The PVCs sharing that physical interfaces however increase in reply time and eventually timeout. What did I do wrong? When I tried General Traffic Shaping, it worked with "traffic-shape rate" and "traffic-shape adaptive" commands. The reason I would like to implement Traffic Shaping with map-class because I would like to apply "Frame-Relay fragmentation" into some PVC to reduce delay time... Any idea why Traffic Shaping with map-class timeouts my PVCs? Thanks All! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=21991&t=21991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
MCSE vs. CCNA/CCNP [7:23471]
Hi All, I know this may be a stupid question, but I just wanna know your feeling in comparing between the value of MCSE and CCNA/CCNP certifications. If you are a hiring manager or a technical person who handles the interviewing, what certification is more value or more "weight" to you...? Cheers, Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=23471&t=23471 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Mulilayer Switch (MLS) on CAT 4006 [7:24142]
Well, please correct me if I am wrong. As my understanding, MLS is the main feature of Layer 3 switch (5000, 6000, 6500... not sure 4000 products). MLS allows hosts on different subnets talking at the wire speed after initially routed by the route processor. After that, MAC of these hosts and the flow is added on the MLS cache table; therefore these hosts can tranfer packets with no further routing needed (at layer 2). Without MLS enabled, all packets to/from host on different hosts have to be routed with the Route Processor (MSFC or RPM...) and therefore got bottleneck there. ""MADMAN"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Can't say I've tried that. First question, why is MLS sooo important > that you feel you must do this?? There are legitimate reasons for MLS > but I see to many people turn knob only because they are there:( > > That aside I don't think you can. On the external devices on which > you can do this your terminating the trunk on a routed interface whereas > on the 6509 the trunk terminates on a layer 2 interface if you follow my > thinking. > > Dave > > Thomas wrote: > > > > Okie, > > > > Here is my CAT 4006 specs and topology. My 4006 has a Supervisor Engine II > > (WS-X4013). It has an uplink TRUNK to a CAT 6509 that has MSFC doing > > routing between VLANS and has MLS enabled. > > > > My question is if I have MLS configured on MSFC of the 6509, the enabling > of > > MLS on CATOS of 4006 via 6509 MSFC as the MLS-RP working? Thanks! > > > > Thomas N. > > > > ""MADMAN"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Sure if you use an external MLS-RP, 75xx, 72xx, 4500, 4700. I'm > > > reasonably sure it's a hardware issue with the WS-X4232-L3. > > > > > > Dave > > > > > > Thomas wrote: > > > > > > > > Hi All, > > > > > > > > I wonder if CAT 4006 switch support MLS? It doesn't seem to have a > > layer 3 > > > > card. I wonder if I can enable MLS using an external router, or > > pointing > > > it > > > > to the MSFCs of a CAT 6500 that have MLS enabled? Thanks! > > > > > > > > Thomas N. > > > -- > > > David Madland > > > Sr. Network Engineer > > > CCIE# 2016 > > > Qwest Communications Int. Inc. > > > [EMAIL PROTECTED] > > > 612-664-3367 > > > > > > "Emotion should reflect reason not guide it" > -- > David Madland > Sr. Network Engineer > CCIE# 2016 > Qwest Communications Int. Inc. > [EMAIL PROTECTED] > 612-664-3367 > > "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24161&t=24142 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Mulilayer Switch (MLS) on CAT 4006 [7:24142]
On the last sencentence, I meant "packets to/from host on different VLAN / subnet..." Sorry, ""Thomas N."" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Well, please correct me if I am wrong. As my understanding, MLS is the main > feature of Layer 3 switch (5000, 6000, 6500... not sure 4000 products). MLS > allows hosts on different subnets talking at the wire speed after initially > routed by the route processor. After that, MAC of these hosts and the flow > is added on the MLS cache table; therefore these hosts can tranfer packets > with no further routing needed (at layer 2). Without MLS enabled, all > packets to/from host on different hosts have to be routed with the Route > Processor (MSFC or RPM...) and therefore got bottleneck there. > > > > ""MADMAN"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Can't say I've tried that. First question, why is MLS sooo important > > that you feel you must do this?? There are legitimate reasons for MLS > > but I see to many people turn knob only because they are there:( > > > > That aside I don't think you can. On the external devices on which > > you can do this your terminating the trunk on a routed interface whereas > > on the 6509 the trunk terminates on a layer 2 interface if you follow my > > thinking. > > > > Dave > > > > Thomas wrote: > > > > > > Okie, > > > > > > Here is my CAT 4006 specs and topology. My 4006 has a Supervisor Engine > II > > > (WS-X4013). It has an uplink TRUNK to a CAT 6509 that has MSFC doing > > > routing between VLANS and has MLS enabled. > > > > > > My question is if I have MLS configured on MSFC of the 6509, the > enabling > > of > > > MLS on CATOS of 4006 via 6509 MSFC as the MLS-RP working? Thanks! > > > > > > Thomas N. > > > > > > ""MADMAN"" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Sure if you use an external MLS-RP, 75xx, 72xx, 4500, 4700. I'm > > > > reasonably sure it's a hardware issue with the WS-X4232-L3. > > > > > > > > Dave > > > > > > > > Thomas wrote: > > > > > > > > > > Hi All, > > > > > > > > > > I wonder if CAT 4006 switch support MLS? It doesn't seem to have a > > > layer 3 > > > > > card. I wonder if I can enable MLS using an external router, or > > > pointing > > > > it > > > > > to the MSFCs of a CAT 6500 that have MLS enabled? Thanks! > > > > > > > > > > Thomas N. > > > > -- > > > > David Madland > > > > Sr. Network Engineer > > > > CCIE# 2016 > > > > Qwest Communications Int. Inc. > > > > [EMAIL PROTECTED] > > > > 612-664-3367 > > > > > > > > "Emotion should reflect reason not guide it" > > -- > > David Madland > > Sr. Network Engineer > > CCIE# 2016 > > Qwest Communications Int. Inc. > > [EMAIL PROTECTED] > > 612-664-3367 > > > > "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24162&t=24142 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Multilayer Switching [7:24595]
Anyone have any problem turning on VLAN interfaces that are running on NAT protocol? I couldn't turn VLAN on my 6509 that has "ip nat inside" statement. Thanks! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24595&t=24595 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multilayer Switching [7:24595]
Sorry all for the confusion. I mean I could not enable MLS on VLANs that are running NAT. When I put "mls rp ip" on VLAN interfaces that have NAT running, I didn't get any error message. However, when I did the "show mls rp interfaces" I didn't see VLANs with NAT on the list of VLANs running MLS. ""Patrick Ramsey"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > IF you have that vlan off then the ip nat inside statement is useless I > would assume. If infact the ip nat inside statement is doign something, I > would assume the vlan to be on... > > Is this logic incorrect? OR do I not understand you question? > > -Patrick > > >>> "Thomas N." 10/29/01 08:45PM >>> > Anyone have any problem turning on VLAN interfaces that are running on NAT > protocol? I couldn't turn VLAN on my 6509 that has "ip nat inside" > statement. Thanks! > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24605&t=24595 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
"no ip route-cache cef" [7:24612]
What does the "no ip route-cache cef" does? Anyone knows? Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24612&t=24612 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: "no ip route-cache cef" [7:24612]
Thanks Chuck! ""Chuck Larrieu"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > according to the informtion found on the Cisco website, under the command > reference master: > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/swit > ch_r/xrdscmd2.htm#1029825 > > To enable Cisco Express Forwarding (CEF) operation on an interface after CEF > operation has been disabled, use the ip route-cache cef command in interface > configuration mode. To disable CEF operation on an interface, use the no > form of this command. > > Now that you have a starting point, you can follow up with some reading on > CEF and what is is and is supposed to do. > > Sometimes the folks over on NANOG don't have much good to say about CEF but > that's another story. > > Chuck > > > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > What does the "no ip route-cache cef" does? Anyone knows? Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24638&t=24612 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Redundancy between 6506 with a single sup. eng. each box? [7:25028]
Hi Group, I have this scenario and wonder if it is possible to setup the topology with redundancy. I have a CAT 6509 acting as the core switch (say switch A), and 2 other CAT 6506 acting as the distribution switches (say switch B and C). Both switch B and C have fiber uplinks to core switch A. Switches A and B also have a redundant fiber between them. Regarding the hardware, The core 6509 has 2 supervisor engines with dual MSFCs. The two 6506 have only one supervisor engine and their MSFC DO NOT do routing at all. My concern/question is that if the supervisor engine of one of the distribution 6506 died, can access switches attached to this 6506 re-route to the redundant link? I doubt this will work because the the supervisor engine of the 6506 has all the configuration (including vlans) for the ports/trunks attached to access switches died. Is there any way to to set them up so that if the supervisor engine on one distribution 6506 dies, all ports/trunks on this 6506 can still be OK with redundant link? Putting dual supervisor engines on each 6506 will be my last solution. Thanks All! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25028&t=25028 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Routing on a Stick [7:25025]
Thanks much to All! Thomas N. ""Mcfadden, Chuck"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > It's possible. Make sure the router has a 100BT interface and set up dot1q > between the router and the switch. use sub ints on the router to define the > Vans and your good to go. > > I hope this is what you were asking. > ccie1ab > > -Original Message- > From: Thomas N. [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 01, 2001 10:48 PM > To: [EMAIL PROTECTED] > Subject: Routing on a Stick [7:25025] > > > Hi All - Had anyone here setup "Routing on a Stick" between a CAT 4006 > switch and a Cisco 2600/3600 router using a FastEthernet interface (RJ45) > both both the 4006 and the router? Is it possible to set this up? Thanks! > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25168&t=25025 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
How to add external MLS-RP on a CAT 6500 sup. engine? [7:25169]
My 6506 has 3 MSFCs but they do not do any routing. Instead, the box is uplink to another 6509 that has MSFCs doing routing. By default, the 6506 has MLS enabled and uses its own MSFCs as MLS-RPs. How should I exclude these MSFCs and point the supervisor engines of this 6506 to use MSFCs of the 6509 as the MLS-RP? The command set on 6500 is not the same as the CAT 5000. Thanks! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25169&t=25169 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Fiber uplink module part number [7:57358]
You can get couple of these GBIC adapters for less than $200 from MJSystems.com. ""Jeffrey Reed"" wrote in message news:200211131729.RAA19686@;groupstudy.com... > GigaStack Stacking GBIC and 50cm cable WS-X3500-XL $250 > 1000BASE-T GBIC WS-G5483= $395 > 1000BASE-SX WS-G5484= $500 > 1000BASE-LX/LH WS-G5486= $995 > 1000Base-ZX extended reach GBIC(singlemode) WS-G5487= $5995 > > Gigastack is proprietary and I think the 1000B-T and 1000B-ZX GBIC too. > > > Jeff Reed > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]On Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, November 13, 2002 11:18 AM > To: [EMAIL PROTECTED] > Subject: Fiber uplink module part number [7:57358] > > Does anyone know the part number of a fiber uplink module for one of the new > cat 2950G-12 switches? > > Is the GigaStack GBIC a new proprietary connector for the catalysts? > > > Thanx, > mkj Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57369&t=57358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
WIC-1ENET [7:57596]
Hi All - I am wondering if the 1-Ethernet WIC card (WIC-1ENET) works with the WAN slots on Cisco 2600 routers? Do I need certain version of IOS in order to have it worked on Cisco 2600 WAN slot? Thanks All! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57596&t=57596 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: WIC-1ENET [7:57596]
Thanks Dave! ""MADMAN"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I think it's only supported on the 1700 series routers. Try a HW/SW > compatibility lookup. > > Dave > > "Thomas N." wrote: > > > > Hi All - I am wondering if the 1-Ethernet WIC card (WIC-1ENET) works with > > the WAN slots on Cisco 2600 routers? Do I need certain version of IOS in > > order to have it worked on Cisco 2600 WAN slot? Thanks All! > -- > David Madland > CCIE# 2016 > Sr. Network Engineer > Qwest Communications > 612-664-3367 > > "You don't make the poor richer by making the rich poorer." --Winston > Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57701&t=57596 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: GRE on Cisco routers [7:57836]
EIGRP, OSPF and RIPv2 do routing update with multicast traffic. IPSec alone does not support multicast. GRE does support multicasting traffic. You can use GRE over IPSec tunnel to run routing protocol such as EIGRP, OSPF or RIPv2. Thomas ""H"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have 2 questions: > > > 1) > >IPSec > 172.16.1.1/24 - RTA == RTB -- 172.16.2.1/24 >| | > 192.168.1.0/24192.168.2.0/24 > > Here are more info:- > > RTA's Serial0 (connecting to RTB) - 10.64.10.13/27 > RTB's Serial1 (connecting back to RTA) - 10.64.10.14/27 > > Both RTA & RTA are running EIGRP. > > As per CCO, IPSec (without GRE) does not transfer routing protocols such as > EIGRP / > OSPF etc. I have tested this on the above topology, but I can get the EIGRP > routes > across from RTA to RTB & vice versa. What am I missing?? > > And here are the configs:- > > And RTA:- > > crypto isakmp policy 15 > hash md5 > authentication pre-share > ! > crypto isakmp key 1234a address 10.64.10.14 > ! > ! > crypto ipsec transform-set setOne esp-des esp-md5-hmac > ! > crypto map combined local-address Serial1 > ! > crypto map combined 8 ipsec-isakmp > set peer 10.64.10.14 > set transform-set setOne > match address 101 > ! > ! > interface Loopback0 > ip address 192.168.1.1 255.255.255.0 > ! > ! > interface Serial0 > ip address 172.16.1.1 255.255.255.0 > no fair-queue > ! > interface Serial1 > ip address 10.64.10.13 255.255.255.224 > no ip route-cache > no ip mroute-cache > clockrate 64000 > crypto map combined > ! > router eigrp 1 > network 10.0.0.0 > network 172.16.1.0 0.0.0.255 > network 192.168.1.0 > no auto-summary > ! > ! > access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 > > > RTB:- > > crypto isakmp policy 5 > hash md5 > authentication pre-share > ! > ! > crypto isakmp key 1234a address 10.64.10.13 > ! > crypto ipsec transform-set setTwo esp-des esp-md5-hmac > ! > crypto map combined local-address Serial0 > ! > crypto map combined 13 ipsec-isakmp > set peer 10.64.10.13 > set transform-set setTwo > match address 101 > ! > ! > interface Loopback0 > ip address 192.168.2.1 255.255.255.0 > ! > interface Ethernet0 > ip address 172.16.2.1 255.255.255.0 > ! > interface Serial0 > ip address 10.64.10.14 255.255.255.224 > no fair-queue > crypto map combined > ! > ! > router eigrp 1 > network 10.0.0.0 > network 172.16.2.0 0.0.0.255 > network 192.168.2.0 > no auto-summary > no eigrp log-neighbor-changes > ! > ! > access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 > > > *** So instead of getting the EIGRP routes via Tunnel 0 inteface, I'm > getting it via > the outgoing interface (serial 0), & the IPSec still works. So what am I > missing, > and how does it make a difference if I use GRE over IPSec? I also tested > RIPv2 & > getting similar results. > > RTA#sh ip route > Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP >D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area >N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 >E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP >i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter > area >* - candidate default, U - per-user static route, o - ODR >P - periodic downloaded static route > > Gateway of last resort is not set > > 172.16.0.0/24 is subnetted, 2 subnets > C 172.16.1.0 is directly connected, Serial0 > D 172.16.2.0 [90/2195456] via 10.64.10.14, 00:36:16, Serial1 > 10.0.0.0/27 is subnetted, 1 subnets > C 10.64.10.0 is directly connected, Serial1 > C192.168.1.0/24 is directly connected, Loopback0 > D192.168.2.0/24 [90/2297856] via 10.64.10.14, 01:24:52, Serial1 > RTA# > > RTA#sh crypto engine connections act > > ID Interface IP-Address State Algorithm Encrypt > Decrypt >1 Serial1 10.64.10.13 setHMAC_MD5+DES_56_CB0 > 0 > 2000 Serial1 10.64.10.13 setHMAC_MD5+DES_56_CB0 > 6 > 2001 Serial1 10.64.10.13 setHMAC_MD5+DES_56_CB6 > 0 > > RTA# > -- > > > 2) > > Most configs / examples I found on CCO and books use: > > ccrypto ipsec transform-set setTwo esp-des > > so when would one use: > > ccrypto ipsec transform-set setTwo esp-des ?? > > Or is it generally not needed / recommended to use the mode transport? If > anyone can > give me some config e.g., that would be greatly appreciated. > > > Thanks, > HL Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57867&t=57836 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VoIP over IP-VPN [7:57880]
Hi All - I am wondering if anyone here has VoIP working well over IPSec tunnels? Cisco said this could be done, but I am not sure how this approach works in a practical internet enviroment? Thanks! TN Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57880&t=57880 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VoIP over IP-VPN [7:57880]
Thanks Marshal, for the input!!! ""Marshal Schoener"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I am using a Cisco 3002 hardware client with a 3000 series gateway from NY > to Malaysia... > True VPN / IPsec between the 2 sites... > We put VoIP across this VPN, and it works unbelievably well. So much better > than we even hoped it would. > We have an E1 on the Malaysian end and a T1 on the NY end... So there is > good bandwidth... > > The VoIP hardware and software we are using is really old. It is called an > ITSE server. Internet Telephony Server... Basically, the servers have NT > installed, and have this ITSE software installed. They are directly > connected to our switch and given a phone extension on each side of the > tunnel. All we have to do is dial that extension, and it gives us a dial > tone on the switch on the other side of the tunnel. > There are times when it doesn't connect right away, but if you just hang up > and call again, it normally works fine. I would say about 95% of the time > the call sounds like a perfect international phone call. > > The other 5% there is too much noise and delay, but IMO that is a small > price to pay for free international phone calls to literally the other side > of the world. We saved $6000 a month by getting rid of the frame-relay and > installing this VPN, and couldn't be happier :-) > > GOOD LUCK! > > -Original Message- > From: Thomas N. [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 22, 2002 9:57 AM > To: [EMAIL PROTECTED] > Subject: VoIP over IP-VPN [7:57880] > > > Hi All - I am wondering if anyone here has VoIP working well over IPSec > tunnels? Cisco said this could be done, but I am not sure how this approach > works in a practical internet enviroment? Thanks! > > TN Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58141&t=57880 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VLAN identity [7:58559]
Hi All, I am wondering if the VLAN number is valid locally on a LAN only or it goes across the WAN link? In my scenario, I have two LANs separated with 2 WAN routers. On the LAN # 1, I assign a VLAN 100 with IP address (gateway) of 10.100.1.1. On LAN # 2, I assign another VLAN 100 but with an IP address of 10.200.1.1. The WAN link is using a 172.16.10.0 subnet, and does routing between 10.0.0.0 and 172.16.10.0 networks. My question is that will VLAN 100 on LAN # 1 distinguishes from VLAN 100 on the LAN # 2? Can I have 2 different subnets with the same VLAN ID number but sitting on 2 separate LANs? Hosts in the first VLAN 100 should not talk to others in the second VLAN 100 without using the routers? Thanks All! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58559&t=58559 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VLAN identity [7:58559]
Hi Larry, I am using trunking on the LAN side of the routers to route between VLANs. However, WAN interfaces of these routers are not configured as trunk. The WAN link is just connected using a different subnet. And no, I don't use bridging. So if VLAN is just local significant, should it not be a problem? Thanks! Thomas ""Larry Letterman"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I would think that you can bridge them with IRB/CRB but the vlan id > would not be > an issue since the connections are not using isl/dot1q trunking. You > would basically > be making a flat network across the wan links. The vlan information > will only propagate > across trunk links that pass the vlan id in the layer 2 frame. > > -Larry > > s vermill wrote: > > >Larry Letterman wrote: > > > >>Not unless the routers were using trunking and it does not > >>sound like > >>they are... > >>The L3 links to each lan switch dont know anything about the > >>vlan . > >> > >>Larry > >> > > > >Larry, > > > >Just curious... Can VLANs be bridged over a bridge group that includes > >serial WAN connectivity or is a FE or GE trunk the only possibility? > > > >Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58634&t=58559 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Export Control with 3DES encryption [7:60573]
Hi All, I plan to buy VPN routers, ship them to Japan then deploy VPN between Cisco routers using 3DES encryption between Japan and U.S. for my company. Do I need to register with the government or certain organization? How the process work? Also, where can I find a list of countries allowed to export 3DES products to? Thanks All in advance! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60573&t=60573 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Export Control with 3DES encryption [7:60573]
Thank you very much! This page bring me directly to the registration page. However, I am wondering if I register with Cisco or with some government organization? If I register with Cisco link below, will they automatically submit it to certain government organization? Thanks much! Thomas ""The Long and Winding Road"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > yes, here is a link on the Cisco web site: > > http://www.cisco.com/cgi-bin//Software/Crypto/crypto_main.pl > > this should get you started. > > HTH > > -- > TANSTAAFL > "there ain't no such thing as a free lunch" > > > > > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi All, > > > > I plan to buy VPN routers, ship them to Japan then deploy VPN between > Cisco > > routers using 3DES encryption between Japan and U.S. for my company. Do I > > need to register with the government or certain organization? How the > > process work? Also, where can I find a list of countries allowed to > export > > 3DES products to? Thanks All in advance! > > > > Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60707&t=60573 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco 831 routers [7:61707]
Hi All, I wonder if anyone here could get a hold of the new Cisco 831 VPN router? I am trying to get couple of these routers but being told they are onhold by Cisco. I am just curious why? and when they are available again? Thanks! Thomas. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61707&t=61707 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco 831 routers [7:61707]
Thanks Paul. Do you have any chance to test out for performance of GRE+IPSec? Is it better than that of software-based encryption on the 2600 routers? ""Paul Forbes"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > They're available (we have four in house ready for deployment). I > haven't tested them with "all knobs on" (GRE+IPsec, CBAC, IDS, QoS, > EIGRP/OSPF, etc.), but VPN+CBAC has worked beautifully. > > Check with your VAR or Cisco account team for leadtimes. > > Cheers. > > Paul > > > -Original Message- > > From: Thomas N. [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, January 23, 2003 12:32 PM > > To: [EMAIL PROTECTED] > > Subject: Cisco 831 routers [7:61707] > > > > > > Hi All, > > > > I wonder if anyone here could get a hold of the new Cisco 831 > > VPN router? I > > am trying to get couple of these routers but being told they > > are onhold by > > Cisco. I am just curious why? and when they are available > > again? Thanks! > > > > Thomas. > > Report misconduct > > and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62012&t=61707 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco 831 routers [7:61707]
Thanks much Paul! Now I am waiting to get those boxes :). Thomas. ""Paul Forbes"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Glad to help Thomas. > > My experience with lower-end 2600's (2611/2621) is that they can reach > approximately 500-750Kbps of 3DES IPsec performance (depending upon > traffic type; purely 1440-byte packets might get you north of 800Kbps). > The 831 is rated, as per Cisco > (http://tools.cisco.com/cmn/jsp/index.jsp?id=20753), at around 2Mbps > with standard traffic, so real world performance should be better > (64-byte packets induce the greatest amount of stress). > > This, plus the punting of LLQ into the crypto engine, Websense/N2H2 > content filtering and virtual AUX makes this little router quite > acceptable for small offices, though there isn't any modularity of > course (e.g. no WICs, no NMs). > > Cheers. > > Paul Forbes > Network Engineer > Trimble > > > -Original Message- > > From: Thomas N. [mailto:[EMAIL PROTECTED]] > > Sent: Monday, January 27, 2003 11:15 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Cisco 831 routers [7:61707] > > > > > > Thanks Paul. Do you have any chance to test out for performance of > > GRE+IPSec? Is it better than that of software-based > > encryption on the 2600 > > routers? > > > > > > ""Paul Forbes"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > They're available (we have four in house ready for deployment). I > > > haven't tested them with "all knobs on" (GRE+IPsec, CBAC, IDS, QoS, > > > EIGRP/OSPF, etc.), but VPN+CBAC has worked beautifully. > > > > > > Check with your VAR or Cisco account team for leadtimes. > > > > > > Cheers. > > > > > > Paul > > > > > > > -Original Message- > > > > From: Thomas N. [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, January 23, 2003 12:32 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: Cisco 831 routers [7:61707] > > > > > > > > > > > > Hi All, > > > > > > > > I wonder if anyone here could get a hold of the new Cisco 831 > > > > VPN router? I > > > > am trying to get couple of these routers but being told they > > > > are onhold by > > > > Cisco. I am just curious why? and when they are available > > > > again? Thanks! > > > > > > > > Thomas. > > > > Report misconduct > > > > and Nondisclosure violations to [EMAIL PROTECTED] > > Report misconduct > > and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62060&t=61707 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
MTU size for IPSec+GRE tunnel [7:62161]
Hi All, I am trying to avoid fragmentation of packets across the IPSec+GRE tunnel with "transform-set" using "ah-sha-hmac" AND "esp-3des" for header authentication and payload encryption. What size of MTU or "TCP addjust-MSS" should I use for maximum performance? I tried out couple values and found TCP adjust-mss of 1076 worked out OK most, but still don't understand why. According Cisco whitepaper, reducing MTU to about 1400 should void the fragmentation but it didn't work in my case. Please help. Thanks! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62161&t=62161 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN tunnel with IPSec over GRE [7:54634]
Hi All, I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN (Cisco 2600 routers). I could get the tunnel up and running between the two LANs with IPSec over GRE so that I can run EIGRP. Data transfer between 2 LANs across the tunnel looks OK, and all dynamic routes learned with EIGRP. However, a problem come up when I put a Proxy Server on the first LAN and force Internet traffic from workstations from the second LAN to go out with this Proxy server. Workstations from the second LAN could browse Internet across the tunnel to reach the Proxy server then hit the Internet; however, the performance is very poor (seem like browsing over a 56k modem). I am thinking this may be because of fragmentation on the 2 routers. Is there any work around for this issue? If MTU size needs to be adjusted, what would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" mode? Again, thank you All for the help! Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54634&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN tunnel with IPSec over GRE [7:54634]
Thank you All for the confirmation! I used extended ping with DF bit set as Richarde mentioned and found out that the packet size that can fit into the tunnel without fragmentation is much less than 1500 bytes. I also went over couple white papers from Cisco website. They mentions about using "ip tcp adjust-mss ", "ip mtu " as well as "tunnel path-mtu-discovery" command. I tried to apply these commands on the routers at the 2 endpoints of the tunnel but it still didn't work. I see myself running into the confusion and have couple questions regarding: - What's the difference between "ip tcp adjust-mss " and "ip mtu " commands? - Which one should I use? or both? - Which and where I should apply these commands? on the tunnel interfaces, Ethernet segment, or on the Internet interface? Below is my topology. Client machine needs to pass through the tunnel, then hit the Proxy Server for Internet access. Again, thank you All for the HELP!!! Client ---> Fa0/0-RouterA-Fa0/1---> IPSec over GRE tunnel --->Fa0/1-RouterB-Fa0/0---> Proxy Server---> Internet Thomas ""Richard Deal"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > It's probably an MTU problem. > > I have an IPSec connection being tunneled via GRE, which in turn, is > tunneled by another IPSec connection. Don't ask why I'm doing this :-) But > we had to set the MTU down to 1320 to prevent fragmentation, and thus > performance, issues. > > In your case, you might want to try using the extended ping with the "no > fragment" option to determine which MTU size will work in your situation. > > Cheers! > > Richarde > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi All, > > > > I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN > (Cisco > > 2600 routers). I could get the tunnel up and running between the two LANs > > with IPSec over GRE so that I can run EIGRP. Data transfer between 2 LANs > > across the tunnel looks OK, and all dynamic routes learned with EIGRP. > > However, a problem come up when I put a Proxy Server on the first LAN and > > force Internet traffic from workstations from the second LAN to go out > with > > this Proxy server. Workstations from the second LAN could browse Internet > > across the tunnel to reach the Proxy server then hit the Internet; > however, > > the performance is very poor (seem like browsing over a 56k modem). I am > > thinking this may be because of fragmentation on the 2 routers. Is there > > any work around for this issue? If MTU size needs to be adjusted, what > > would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" mode? > > Again, thank you All for the help! > > > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54686&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN tunnel with IPSec over GRE [7:54634]
We have Ms. Proxy Server 2.0 Thomas. ""sam sneed"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > What kind of Proxy server is it? Hopefully UNIX so you can do a tcpdump to > see what is actually getting to it. I'd suggest hooking up some packet > sniffers in differernt places to see what is getting where and you'll be > able to narrow down the problem. > > > > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Thank you All for the confirmation! I used extended ping with DF bit set > as > > Richarde mentioned and found out that the packet size that can fit into > the > > tunnel without fragmentation is much less than 1500 bytes. I also went > over > > couple white papers from Cisco website. They mentions about using "ip tcp > > adjust-mss ", "ip mtu " as well as "tunnel path-mtu-discovery" > > command. I tried to apply these commands on the routers at the 2 > endpoints > > of the tunnel but it still didn't work. I see myself running into the > > confusion and have couple questions regarding: > > > > - What's the difference between "ip tcp adjust-mss " and "ip mtu > > " commands? > > - Which one should I use? or both? > > - Which and where I should apply these commands? on the tunnel interfaces, > > Ethernet segment, or on the Internet interface? > > > > Below is my topology. Client machine needs to pass through the tunnel, > then > > hit the Proxy Server for Internet access. Again, thank you All for the > > HELP!!! > > > > > > Client ---> Fa0/0-RouterA-Fa0/1---> IPSec over GRE > > tunnel --->Fa0/1-RouterB-Fa0/0---> Proxy Server---> Internet > > > > > > > > Thomas > > > > > > > > ""Richard Deal"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > It's probably an MTU problem. > > > > > > I have an IPSec connection being tunneled via GRE, which in turn, is > > > tunneled by another IPSec connection. Don't ask why I'm doing this :-) > But > > > we had to set the MTU down to 1320 to prevent fragmentation, and thus > > > performance, issues. > > > > > > In your case, you might want to try using the extended ping with the "no > > > fragment" option to determine which MTU size will work in your > situation. > > > > > > Cheers! > > > > > > Richarde > > > ""Thomas N."" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Hi All, > > > > > > > > I am setting up a site-to-site VPN between 2 LANs using Cisco IOS VPN > > > (Cisco > > > > 2600 routers). I could get the tunnel up and running between the two > > LANs > > > > with IPSec over GRE so that I can run EIGRP. Data transfer between 2 > > LANs > > > > across the tunnel looks OK, and all dynamic routes learned with EIGRP. > > > > However, a problem come up when I put a Proxy Server on the first LAN > > and > > > > force Internet traffic from workstations from the second LAN to go out > > > with > > > > this Proxy server. Workstations from the second LAN could browse > > Internet > > > > across the tunnel to reach the Proxy server then hit the Internet; > > > however, > > > > the performance is very poor (seem like browsing over a 56k modem). I > > am > > > > thinking this may be because of fragmentation on the 2 routers. Is > > there > > > > any work around for this issue? If MTU size needs to be adjusted, > what > > > > would be the ideal MTU size for IPSec over GRE tunnel in "tunnel" > mode? > > > > Again, thank you All for the help! > > > > > > > > Thomas N. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54754&t=54634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ACL for DMVPN [7:74028]
I got a lab setup simulating DMVPN with IPSec over GRE. I would like to apply an access control list to the outside interface of the routers to block everything, except for TCP/UPD ports that are needed for GRE, IPSec, IKE and those related to DMVPN implementation. Does someone know what ports should I open on the ACL? Thanks! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74028&t=74028 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
TCP/UDP port for CHAP [7:74480]
I got SOHO sites with PPPoE connection to the Internet. They use CHAP for authentication. I would like to setup an ACL to filter out traffic on the outside interface. I am wondering what TCP/UDP port CHAP protocol use? Thanks! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74480&t=74480 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
PKI [7:74482]
I am not sure if this question is off the topic or not but hopping people can give me some suggestion. I am working on DMVPN and it seems PKI can not be missed out of the design for security purpose. I am wondering what are good PKI vendors out there? Is there any hardware appliance PKI vendor? Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74482&t=74482 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: PKI [7:74482]
Thanks Annlee! ""annlee"" wrote in message news:[EMAIL PROTECTED] > This page (mind the wrap) > http://www.ealaddin.com/partners/findpartner2.asp?SolutionCategory=11&Partne rshipCategory=&PartnerName=&CompanyProduct=&PartnerSearch.x=39&PartnerSearch .y=7 > lists a number of PKI Infrastructure partners to an etoken company. It > might be place to start. > > Annlee > > Thomas N wrote: > > > I am not sure if this question is off the topic or not but hopping people > > can give me some suggestion. I am working on DMVPN and it seems PKI can > not > > be missed out of the design for security purpose. I am wondering what are > > good PKI vendors out there? Is there any hardware appliance PKI vendor? > > Thanks! > > **Please support GroupStudy by purchasing from the GroupStudy Store: > > http://shop.groupstudy.com > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75222&t=74482 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
