I am a freelance IT consultant currently residing in The Netherlands. My background is partly in languages (I speak German, French, Spanish, and Dutch), which sometimes can be useful when working for international customers.
Hello,
not sure if I read your topology correctly, but if your are dual homed to the same ISP, which router do you want to be the exit point ? Your iBGP peer is a JunOS router ? Can you post the config of that router as well ?
... View more
Hello,
the original configuration sheet you posted mentions SHA1 to be used as a hash algorithm. This would means that you would need ikev2, which is a different encryption. At the very least, check with the other side if that is the case...
... View more
If you only need the crypto map, delete interface Tunnel 2 altogether.
The reason you get the 'proxy identities not supported' error is because the access lists that define the traffic that need to be encrypted don't match on both sides. What device is the company on the other side using ? Can you post their config as well ?
... View more
Hello,
--> We have a working BGP with same ISP & same AS at our other DC, but that is JunOS.
That might be the problem. What is your ISP supposed to send to the new peer ? Check with your ISP what networks or routes they are sending, if any, to the new peer...
... View more
Hello,
looking at your static routes:
ip route 0.0.0.0 0.0.0.0 41.77.178.13 <-- what is IP address 41.77.178.13 ? ip route 10.16.1.0 255.255.255.0 Tunnel2 ip route 191.162.21.65 255.255.255.255 Tunnel1
... View more
You have a crypto map and and SVI, which one are you using (or are you using both) ? What does your topology look like ?
The only route you need should be:
ip route 0.0.0.0 0.0.0.0 90.210.32.6
or
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
... View more
Hello,
change your NAT statement:
--> no ip nat inside source list 100 interface GigabitEthernet0/0 overload
--> ip nat inside source list 102 interface GigabitEthernet0/0 overload
... View more
Hello,
your access list 100 is still wrong. The 'deny' entries need to be first:
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.110 access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.111 access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.112
access-list 100 permit ip 10.213.16.0 0.0.0.255 any
... View more
Hello,
you need to change your NAT access list to deny traffic to the VPN destination hosts, and also the VPN access list. They shoud look like below:
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.110 access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.111 access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.112 access-list 100 permit ip 10.213.16.0 0.0.0.255 any ! access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.110 access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.111 access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.112
... View more
Hello,
as far as I recall, STAC is less predictable and consistent than Predictor. Your response times vary, that alone might cause the difference in compression rates. Do you get the same with 'compress predictor' ?
https://www.cisco.com/c/en/us/support/docs/wan/data-compression/14156-compress-overview.html
... View more
Hello,
to partially answer your question: the ISR 4331 has a base throughput of 100MB, with the Performance license you will get 300MB, and with the Boost license you get over 2Gbps. The throughput is activated in software.
Check Table 4 of the attached document.
https://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/data_sheet-c78-732542.html
... View more