In short: Is there a better way to find which port switch port a PC is connected to if you have multiple switches? Longer version: I am currently working in a building that has unconventional network design. There are four floors but all the patch panels are terminated on one floor and all the switches are there also. Patch panels are also mixed so one patch panel has cables coming from different floors. There are six patch panels (24-port) and three 3750 48-port switches I have been working on cleaning up the cables but there's another problem. If I want to change the VLAN of a PC at, say, the third floor, I will have to go to each switch and look for its MAC Address. Is there a better way to do this? I can't do stack because the switches are old and the stack ports look damaged.
... View more
I am creating a VPN with another router and for some reason PFS is not being enabled from my end. Here's my crypto config: crypto isakmp policy 10
encr des
hash md5
authentication pre-share
!
crypto isakmp key ABC123456 address 20.30.40.50
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
mode tunnel
!
!
crypto map map1 30 ipsec-isakmp
set peer 20.30.40.50
set transform-set des-md5
set pfs group2
match address SECRET_STUFF Here's the output of sh crypto ipsec sa: protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
current_peer 20.30.40.50 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 821, #recv errors 0
local crypto endpt.: 1.2.3.4, remote crypto endpt.: 20.30.40.50
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Vlan10
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none <<< And here's sh crypto map: Crypto Map IPv4 "map1" 30 ipsec-isakmp
Peer = 20.30.40.50
Extended IP access list VPN_TRAFFIC
access-list SECRET_STUFF permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y <<<
DH group: group2
Mixed-mode : Disabled
Transform sets={
des-md5: { esp-des esp-md5-hmac } ,
}
Interfaces using crypto map map1:
Vlan3 What am I doing wrong here? I also get the following error in the logs: *May 9 01:52:29.850: ISAKMP:(2046): phase 2 SA policy not acceptable! (local 1.2.3.4 remote 20.30.40.50) Both Phase 1 encr, hash and group are double checked on both sides. They match.
... View more
I had a default route for the WAN-1 but it was causing issues so I have removed it now. C 10.10.10.0/24 is directly connected, Vlan10
L 10.10.10.1/32 is directly connected, Vlan10
C 10.10.20.0/24 is directly connected, Vlan20
L 10.10.20.1/32 is directly connected, Vlan20
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan2
L 192.168.10.1/32 is directly connected, Vlan2
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, Vlan3
L 192.168.20.1/32 is directly connected, Vlan3
... View more
I have two active WAN connetions so I have a route-map for each connection. If I connect a PC to the LAN, everything works fine. But ping doesn't work with a source. If I do ping 8.8.8.8 source vlan 10, it doesn't work. Here's my config: interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
switchport mode trunk
!
interface FastEthernet2
switchport access vlan 3
!
interface Vlan2
description WAN-1
ip address 192.168.10.2 255.255.255.252
!
interface Vlan3
description WAN-2
ip address 192.168.20.2 255.255.255.252
ip nat outside
!
interface Vlan10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip policy route-map PBR-10
!
interface Vlan20
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip policy route-map PBR-20
! ip nat inside source list Vlan10 interface Vlan2 overload ip nat inside source list Vlan20 interface Vlan3 overload ! ip access-list extended Vlan10 permit ip 10.10.10.0 0.0.0.255 any ! ip access-list extended Vlan20 permit ip 10.10.20.0 0.0.0.255 any !
route-map PBR-10 permit 10
set ip default next-hop 192.168.10.1
!
route-map PBR-20 permit 10
set ip default next-hop 192.168.20.1
!
... View more
If I have two WAN connections and I load balance between both, how would it work? Say I open a website and login to my account and these requests gets served by the first WAN. Afterwards the first WAN gets busy and my requests are routed through the second one. Wouldn't that cause problems with website? Thanks in advance.
... View more
Ok. I have found the issue. I was checking using traceroute and ping with source on the Cisco router itself and for some reason it never worked. I just connected a computer with the router and everything is working fine! I can use both ISPs.
... View more
This is live. I am using Cisco 880. I just changed the public IP address to 1.1.1.1 and 2.2.2.2 in the config I posted. sh ip policy: Interface Route map
Vlan20 PBR
... View more
Here's the sh ip int brief output: Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM administratively down down
Ethernet0 unassigned YES NVRAM up down
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up up
Vlan1 unassigned YES unset administratively down down
Vlan2 1.1.1.2 YES NVRAM up up
Vlan3 2.2.2.2 YES manual up up
Vlan10 10.10.10.1 YES NVRAM up up
Vlan20 10.10.20.1 YES NVRAM up up Computer has an IP Address of 10.10.20.11
... View more
I have a router with a default route set to the first WAN. I want to set up a second WAN but can't remove the default route because the router is live. I have added an ip policy to the second WAN interface but it is being ignore and it uses the default route of the first WAN instead (I have confirmed using trace). Here's my config: aaa new-model
!
aaa authentication login default local
!
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool Vlan10
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool Vlan20
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 8.8.8.8 8.8.4.4
!
ip domain name test.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
switchport access vlan 3
!
interface Vlan1
shutdown
!
interface Vlan2
description WAN-1
ip address 1.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface Vlan3
description WAN-2
ip address 2.2.2.2 255.255.255.252 ip nat outside
ip virtual-reassembly in
!
interface Vlan10
description LAN-1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
description LAN-2
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PBR
!
ip nat inside source list Vlan10 interface Vlan2 overload
ip nat inside source list Vlan20 interface Vlan3 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip access-list extended Vlan10
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended Vlan20
permit ip 10.10.20.0 0.0.0.255 any
route-map PBR permit 10
match ip address Vlan20
set ip next-hop 2.2.2.1 This is a follow-up to this discussion: https://community.cisco.com/t5/routing/two-active-wan-connections/m-p/3815883#M311082
... View more
Hi, I have a Cisco 870Va router. There are two WAN connections from different ISPs. I need to create a LAN for each connection. Both will have their own DHCP server and each will use a different WAN. So LAN1 will use WAN1 and vice versa. Where I am stuck is the route. I can only do ip route 0.0.0.0 0.0.0.0 1.2.3.4 for one WAN only. How do you do it when you have two WANs?
... View more
QOS for traffic going outside the router is straight forward. You specify classes for your traffic and prioritize, shape and police; based on the classes.
Ingress is a little confusing. Assuming I have 4/4mbps bandwidth available. I shape my traffic to 4mbps so there are no drops. Voice is prioritized and non-priority traffic is policed. Everything is perfect on the egress side.
But what can I do on the ingress side to ensure all the bandwidth is not used for http? I can just police http, right? But what if someone tries to download using some other protocol and use all the available bandwidth? I can't shape or do prioritization for ingress traffic.
Assuming my priority traffic comes from 1.2.3.4 and 4.5.6.7 and I want to reserve the 3mb bandwidth for it, is the following the best way:
class-map priority_traffic
match access-group name priority
policy-map input
class priority_traffic
class class-default
police cir 1000000
conform-action transmit
exceed-action drop
ip access-list extended priorty
permit ip host 1.2.3.4 any
permit ip host 4.5.6.7 any
... View more