08-28-2007 12:50 PM - edited 03-03-2019 06:30 PM
We have a 1700 Router at our corporate location and have a Netopia at our branch. NetScreen boxes handle the VPN. (I had nothing to do with this part)
We are currently using 120% of our T1 according to McCleod. I have been running PRTG Traffic Grapher because I haven't been able to figure out netflow. I believe the IOS is too out of date on my router. But it shows some pretty high peaks, but not a constant flow of data like spyware/virus, etc. I have it setup to scan all 60+ computers nightly so I can rule that excess data out.
100126>show hardware
Cisco IOS Software, C1700 Software (C1700-IPBASE-M), Version 12.4(1a), RELEASE S
OFTWARE (fc2
What the other guy wants is to get 2 comcast business lines in each location and have the VPN run over that and have the T1's for Mail/HTTP.
He hears 12Mb down/ 3Mb up. All I hear is Comcast. My thought is with the comcast line is we'll get screwed because of all the other traffic since it's not direct like the T1.
For this, I assume I can can use a few 1800 series routers, remove the NetScreens and implement an ACL to route VPN traffic one way and the everything else the other.
I took the Cisco classes back in 2002-2003, but never finished. Got into Real Estate instead (oops), can I still use my books for ACL's or has a bunch changed and I need to get new ones?
Thank you so much in advance!
09-03-2007 10:07 AM
I think you have to enabled process switching on the LAN interface of both routers to allow applications to run across the site-to-site IPSec tunnel, using the syntax below:
interface Vlan1
no ip route-cache cef
no ip route-cache
09-03-2007 12:09 PM
Matthew
There are multiple aspects of your message which may deserve discussion and I will attempt to stick to the most essential points.
I am puzzled about your statement about the router IOS being too old. Too old for what? It is running 12.4(1) and while it is not very new it is not all that old either.
Your description seems to indicate that you are currently running VPNs between your main site and branches and it seems to indicate that connectivity is over a T1. Is this the case? If you go to the new environment will you want one VPN (with traffic on the other link in clear text) or will you want two VPNs? One VPN is easy while doing two VPNs (between a branch and the same main site) is tricky.
I believe that the feature that you are describing to send mail/HTTP over one link and other traffic over another link is called Policy Based Routing. PBR uses route maps (which use access lists) to identify traffic and to specify a different routing path than the normal routing table for certain traffic (like mail/HTTP). While some things have changed since your books (especially new features) but I would be pretty confident that the things that are covered in your books would still work ok.
Bill
I am surprised at your suggestion about needing to force process switching. While that might be good to do if you want to run debug, I do not see any reason why you would need process switching to run access lists or to run PBR. I have certainly run lots of traffic over IPSec VPN connections site to site without needing process switching. It works very well with CEF.
HTH
Rick
09-03-2007 03:16 PM
Hi,
As the usual I agree with Rick on all what he says with the additional note that 12.4(1) has deferred status and should never be used used. Please upgrade to latest 12.4 mainline for peace of mind and to run a supported platform in case for any reason you need to resort to TAC for support.
Another note, I've found that is necessary to disable CEF on certain EzVPN configurations, but that does not appear to be the case in question.
09-04-2007 06:09 AM
Nevermind, I have netflow configured now. I have to find a collector.
You are correct. I have a Coporate Office and a branch office. with a T1 inbetween. I would only want 1 vpn. That VPN would run over the cable connection and handle our database, file server and domain. The T1 that we currently have would be left for Mail, HTTP, etc.
09-04-2007 09:22 AM
Matthew
I am glad that you have resolved the issue with Netflow.
It should be fairly easy to configure Policy Based Routing so that most traffic would route over the VPN on the cable connection and that Mail and HTTP (or whatever you want to specify) would be sent over the T1.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide